Published on the 2020-02-24, this vulnerability is about a serious file read/inclusion (Local File Inclusion, LFI) vulnerability on the Apache JServ Protocol (AJP) Tomcat connector leading to potential Remote Code Execution (RCE). Running by default on TCP port 8009, AJP is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. Vulnerable Tomcat versions and available fixes from Apache are:
Affected Apache Version
Apache Tomcat 9.0.30 and below
Apache Tomcat 8.5.50 and below
Apache Tomcat 7.0.99 and below
Some BMC products are using a vulnerable version of Apache Tomcat. If enabled, please ensure the AJP Connector contains the "requiredSecret" attribute in the Tomcat /conf/server.xml file, the "secret" attribute, which is like a password, so its value needs to be strong and unique, and the "address" attribute, set to "localhost".
The "secret" attribute must also be specified in each worker that needs to connect to Tomcat. For example, if using Apache, it has to be defined in the "mod_proxy_ajp" configuration file.
You can also add some firewall protection in place on the connector port, to allow local connections only (or connections from trusted sources if needed), depending on the services running on your Tomcat instance.
BMC is working on upgrading Tomcat to the fixed version. Meanwhile it is recommended to implement the above mentioned configuration change which will mitigate this vulnerability.