Micro Focus Email

Send E-mail

 

   Micro Focus Enterprise Software Vulnerability Alerts

 

Micro Focus incorporates IT industry best practices during the product development lifecycle to ensure a strong focus on security. Micro Focus engineering and manufacturing practices are designed to meet product security requirements, protect Micro Focus intellectual property, and support Micro Focus product warranty requirements.

When a new industry-wide security vulnerability is released, Micro Focus investigates its product line to determine the impact. For impacted products, Security Bulletins will be published. These bulletins will contain impacted product versions and the resolution (patch, upgrade, or configuration change).

You may subscribe to receive real-time notifications on future Micro Focus Security Bulletins and advisories for your products - Subscribe to alerts for your products.

Recent Documents

1. KM03631622 - Operations Bridge Manager. Apache Tomcat vulnerability CVE-2020-1938 KM03631622
 
a vulnerability in apache tomcat was addressed by operations bridge manager. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 a vulnerability in apache tomcat was addressed by operations bridge manager. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
operations bridge manager 10.12 10.60 10.61 10.62 10.63 2018.05 2018.11 2019.05 2019.11 ; security bulletins any;
security bulletins
Created:Tue Mar 31 00:00:00 GMT 2020
public
Modified:Fri Jul 10 00:00:00 GMT 2020
published
2. KM03672514 - Hybrid Cloud Management. File content disclosure vulnerability, CVE-2020-1938. KM03672514
 
a potential vulnerability has been identified in some components that ships with hybrid cloud management. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. a potential vulnerability has been identified in some components that ships with hybrid cloud management. the vulnerability could be exploited to file content disclosure of the web application or remote code execution.
hybrid cloud management containerized 2018.05 2018.08 2018.11 2019.02 2019.05 2019.08 2019.11 ; security bulletins any;
security bulletins
Created:Fri Jul 10 00:00:00 GMT 2020
public
Modified:Fri Jul 10 00:00:00 GMT 2020
published
3. KM03670840 - Cloud Service Automation. file content disclosure vulnerability, CVE-2020-1938. KM03670840
 
a potential vulnerability has been identified in a component that integrates with cloud service automation. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. a potential vulnerability has been identified in a component that integrates with cloud service automation. the vulnerability could be exploited to file content disclosure of the web application or remote code execution.
cloud service automation 4.70 4.80 4.92 4.94 4.95 4.99 ; security bulletins any;
security bulletins
Created:Wed Jul 08 00:00:00 GMT 2020
public
Modified:Wed Jul 08 00:00:00 GMT 2020
published
4. KM03650893 - ArcSight Management Center. Cross-Site Scripting vulnerability, CVE-2020-11838, CVE-2020-11840 and CVE-2020-11841. KM03650893
 
potential vulnerabilities have been identified in micro focus arcsight management center. the vulnerabilities could be remotely exploited resulting in cross-site scripting (xss) or information disclosure. potential vulnerabilities have been identified in micro focus arcsight management center. the vulnerabilities could be remotely exploited resulting in cross-site scripting (xss) or information disclosure.
arcsight management center 2.61 2.7 2.8 2.81 2.9 2.91 2.92 2.93 ; security bulletins any;
security bulletins
Created:Tue Jun 09 00:00:00 GMT 2020
public
Modified:Tue Jun 09 00:00:00 GMT 2020
published
5. KM03650888 - ArcSight Enterprise Security Manager (ESM). Cross-Site Scripting vulnerability, CVE-2020-9522 KM03650888
 
a potential vulnerability has been identified in micro focus arcsight enterprise security manager. the vulnerability could be remotely exploited resulting in cross-site scripting (xss). a potential vulnerability has been identified in micro focus arcsight enterprise security manager. the vulnerability could be remotely exploited resulting in cross-site scripting (xss).
arcsight enterprise security manager 7.0 7.2 ; security bulletins any;
security bulletins
Created:Tue Jun 09 00:00:00 GMT 2020
public
Modified:Tue Jun 09 00:00:00 GMT 2020
published
6. KM03650887 - ArcSight Logger. Cross Site scripting vulnerability, CVE-2020-11839. KM03650887
 
a potential vulnerability has been identified in micro focus arcsight logger. the vulnerability could be remotely exploited resulting in cross-site scripting (xss). a potential vulnerability has been identified in micro focus arcsight logger. the vulnerability could be remotely exploited resulting in cross-site scripting (xss).
arcsight logger software 6.61 6.7 6.71 6.9.1 7.0 ; security bulletins any;
security bulletins
Created:Tue Jun 09 00:00:00 GMT 2020
public
Modified:Tue Jun 09 00:00:00 GMT 2020
published
7. KM03645642 - ArcSight products: Enterprise Security Manager, Interset, Transformation Hub and Investigate. Incorrect Authorization vulnerability, CVE-2020-11844. KM03645642
 
a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with some micro focus arcsight products. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with some micro focus arcsight products. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
arcsight enterprise security manager 7.2.1; arcsight interset standard edition ; arcsight investigate 2.40 3.00 3.10 ; arcsight transformation hub 3.00 3.10 3.20 ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Fri May 29 00:00:00 GMT 2020
published
8. KM03645636 - Hybrid Cloud Management. Incorrect Authorization vulnerability, CVE-2020-11844. KM03645636
 
a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with hybrid cloud management. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with hybrid cloud management. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
hybrid cloud management all ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Fri May 29 00:00:00 GMT 2020
published
9. KM03645637 - Cloud Optimizer. Apache Tomcat vulnerability, CVE-2020-1938. KM03645637
 
there is a security vulnerability relating to apache jserv protocol (ajp), in apache tomcat has published by apache tomcat security bulletin. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp. further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. in order to mitigate this vulnerability, cloud optimizer has given the steps for all impacted versions listed below. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 there is a security vulnerability relating to apache jserv protocol (ajp), in apache tomcat has published by apache tomcat security bulletin. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp. further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. in order to mitigate this vulnerability, cloud optimizer has given the steps for all impacted versions listed below. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
cloud optimizer 3.02 3.03 3.04 ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Thu May 28 00:00:00 GMT 2020
published
10. KM03645631 - Service Management Automation (SMA). Incorrect Authorization vulnerability, CVE-2020-11844. KM03645631
 
a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with sma. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with sma. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
security bulletins any; service management automation ;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Thu May 28 00:00:00 GMT 2020
published
11. KM03645630 - Operation Bridge Suite (Containerized). Incorrect Authorization , CVE-2020-11844. KM03645630
 
a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with operation bridge suite (containerized). the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with operation bridge suite (containerized). the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
operations bridge containerized 2018.05 2018.08 2018.11 2019.02 2019.05 2019.08 2019.11 ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Thu May 28 00:00:00 GMT 2020
published
12. KM03645629 - Network Operation Management. Incorrect Authorization vulnerability, CVE-2020-11844. KM03645629
 
vulnerability summary a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with network operation management. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. vulnerability summary a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with network operation management. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
network operations management all ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Thu May 28 00:00:00 GMT 2020
published
13. KM03645628 - Data Center Automation Containerized. Incorrect Authorization vulnerability, CVE-2020-11844. KM03645628
 
a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with data center automation containerized. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation. a potential vulnerability has been identified in the micro focus container deployment foundation component that ships with data center automation containerized. the vulnerability could be exploited to provide unauthorized access to the container deployment foundation.
data center automation-e containerized 2018.11 2019.02 2019.05 2019.08 2019.11 ; data center automation-p containerized 2018.05 2018.08 2018.11 2019.02 2019.05 2019.08 2019.11 ; security bulletins any;
security bulletins
Created:Thu May 28 00:00:00 GMT 2020
public
Modified:Thu May 28 00:00:00 GMT 2020
published
14. KM03640285 - Service Manager. Cross Site Scripting vulnerability, CVE-2020-11845 KM03640285
 
vulnerability summary a potential cross site scripting (xss) vulnerability has been identified in service manager. the vulnerability could be exploited to allow remote attackers to inject arbitrary web script or html. vulnerability summary a potential cross site scripting (xss) vulnerability has been identified in service manager. the vulnerability could be exploited to allow remote attackers to inject arbitrary web script or html.
security bulletins any; service manager 9.50 9.51 9.52 9.60 9.61 9.62 9.63 ;
security bulletins
Created:Mon May 18 00:00:00 GMT 2020
public
Modified:Mon May 18 00:00:00 GMT 2020
published
15. KM03640252 - Enterprise Server and Enterprise Developer. Cross Site Scripting vulnerability, CVE-2020-9524 KM03640252
 
vulnerability summary a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). a number of pages containing cross-site scripting (xss) opportunities could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored xss) or followed a malicious link (reflected xss). vulnerability summary a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). a number of pages containing cross-site scripting (xss) opportunities could allow an attacker to trigger administrative actions when an administrator viewed malicious data left by the attacker (stored xss) or followed a malicious link (reflected xss).
enterprise developer/enterprise server ; security bulletins any;
security bulletins
Created:Sun May 17 00:00:00 GMT 2020
public
Modified:Sun May 17 00:00:00 GMT 2020
published
16. KM03636721 - Network Automation. Apache Tomcat vulnerability, CVE-2020-1938 KM03636721
 
a vulnerability in apache tomcat was addressed by network automation. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 a vulnerability in apache tomcat was addressed by network automation. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
network automation 10.00 10.10 10.11 10.20 10.21 10.30 10.40 10.50 2018.05 2018.08 2018.11 2019.05 9.20 9.21 9.22 ; security bulletins any;
security bulletins
Created:Wed Apr 29 00:00:00 GMT 2020
public
Modified:Thu Apr 30 00:00:00 GMT 2020
published
17. KM03635668 - Service Manager. Apache Tomcat vulnerability, CVE-2020-1938 KM03635668
 
a vulnerability in apache tomcat was addressed by service manager. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. for more details, please reference the cve details at the following link. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 a vulnerability in apache tomcat was addressed by service manager. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. for more details, please reference the cve details at the following link. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
security bulletins any; service manager 9.40 9.41 9.50 9.51 9.52 9.60 9.61 9.62 9.63 9.64 ;
security bulletins
Created:Wed Apr 22 00:00:00 GMT 2020
public
Modified:Wed Apr 22 00:00:00 GMT 2020
published
18. KM03634936 - Micro Focus Enterprise Developer and Enterprise Server. UNC Path Navigation vulnerability, CVE-2020-9523. KM03634936
 
a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). the unc path navigation vulnerability could allow an attacker to transmit hashed credentials for the user account running the micro focus directory server (mfds) to an arbitrary site, compromising that account's security. a potential vulnerability has been identified in micro focus enterprise server (including the enterprise server component of enterprise developer). the unc path navigation vulnerability could allow an attacker to transmit hashed credentials for the user account running the micro focus directory server (mfds) to an arbitrary site, compromising that account's security.
enterprise developer/enterprise server ; security bulletins any;
security bulletins
Created:Thu Apr 16 00:00:00 GMT 2020
public
Modified:Thu Apr 16 00:00:00 GMT 2020
published
19. KM03634739 - Data Center Automation Containerized. Apache Tomcat vulnerability, CVE-2020-1938. KM03634739
 
a vulnerability in apache tomcat was addressed by data center automation containerized. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 a vulnerability in apache tomcat was addressed by data center automation containerized. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. in apache tomcat 9.0.0.m1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, tomcat shipped with an ajp connector enabled by default that listened on all configured ip addresses. it was expected (and recommended in the security guide) that this connector would be disabled if not required. this vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a jsp further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a jsp, made remote code execution possible. it is important to note that mitigation is only required if an ajp port is accessible to untrusted users. users wishing to take a defense-in-depth approach and block the vector that permits returning arbitrary files and execution as jsp may upgrade to apache tomcat 9.0.31, 8.5.51 or 7.0.100 or later. a number of changes were made to the default ajp connector configuration in 9.0.31 to harden the default configuration. it is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
data center automation-e containerized 2018.11 2019.02 2019.05 2019.08 2019.11 ; data center automation-p containerized 2017.05 2017.08 2017.09 2017.11 2018.02 2018.05 2018.08 2018.11 2019.02 2019.05 2019.08 2019.11 ; security bulletins any;
security bulletins
Created:Thu Apr 16 00:00:00 GMT 2020
public
Modified:Thu Apr 16 00:00:00 GMT 2020
published
20. KM03634338 - Service Management Automation (SMA). Apache Tomcat vulnerability CVE-2020-1938. KM03634338
 
a vulnerability in the apache tomcat components used by sma products was addressed by the micro focus service management automation (sma) r&d team. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat by intentional design treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. for more details on this issue, please reference the cve id and link below: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938 a vulnerability in the apache tomcat components used by sma products was addressed by the micro focus service management automation (sma) r&d team. the vulnerability could be exploited to file content disclosure of the web application or remote code execution. when using the apache jserv protocol (ajp), care must be taken when trusting incoming connections to apache tomcat. tomcat by intentional design treats ajp connections as having higher trust than, for example, a similar http connection. if such connections are available to an attacker, they can be exploited in ways that may be surprising. for more details on this issue, please reference the cve id and link below: https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-1938
security bulletins any; service management automation ;
security bulletins
Created:Wed Apr 15 00:00:00 GMT 2020
public
Modified:Wed Apr 15 00:00:00 GMT 2020
published