DSA-2020-076: Dell EMC Integrated Data Protection Appliance Security Update for Apache Tomcat Ghostcat Vulnerability

The component is updated for the following vulnerability:    

• CVE-2020-1938
  9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. 

To search for a particular CVE, use the database s search utility at http://web.nvd.nist.gov/view/vuln/search.

Affected products:    
Dell EMC Integrated Data Protection Appliance 2.0
Dell EMC Integrated Data Protection Appliance 2.1
Dell EMC Integrated Data Protection Appliance 2.2
Dell EMC Integrated Data Protection Appliance 2.3
Dell EMC Integrated Data Protection Appliance 2.4
Dell EMC Integrated Data Protection Appliance 2.5

Remediation:
Follow the steps below to mitigate the vulnerability from the Appliance Configuration Manager (ACM) virtual machine in the Integrated Data Protection Appliance.

Log in to Appliance Configuration Manager (ACM) virtual machine using an SSH client such as PuTTY as root user and execute the following:    

1. Stop ACM webapp:   

service dataprotection_webapp stop

2. Edit the file  /usr/local/dataprotection/tomcat/conf/server.xml  using vi editor

vi /usr/local/dataprotection/tomcat/conf/server.xml

3. Remove following line of AJP connector for 8009 port mentioned below:    

(Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /)

4. Save the file and exit editor.

5. Start ACM webapp:    

service dataprotection_webapp start

Note: A hotfix will be made available for Dell EMC Integrated Data Protection Appliance version 2.5 and is targeted for Q32020.