The AJP protocol is enabled by default, with the AJP connector listening in TCP port 8009 and bond to IP address 0.0.0.0. 8.x (as pki-servlet-container, pki-servlet-engine in pki-deps module)ĬVE-2020-1938 is a file read/inclusion using the AJP connector in Apache Tomcat.Red Hat JBoss Enterprise Application Platform (EAP).Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. Examples of such conditions include default settings, common configurations and general best practices. Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics. BlackBerry assigns all relevant security vulnerabilities a non-zero score. BlackBerry uses CVSSv3 in vulnerability assessments to present an immutable characterization of security vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization and can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry Good Control version 5.2.58.45 and laterĬommon Vulnerabilities and Exposures is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.Ĭommon Vulnerability Scoring System is a vendor agnostic, industry open standard designed to convey the severity of a vulnerability.BlackBerry Workspaces Server (deployed with vApp) with Apache Tomcat upgraded as per the BlackBerry support article.BlackBerry Workspaces Server (deployed with Appliance-X) versions 7.1.3, 8.2.6, and 9.1.0 and later.The following versions contain the software update: BlackBerry Workspaces Clients on all platforms.Where can I read more about the security of BlackBerry products and services?įor more information on BlackBerry security visit. Please refer to the following BlackBerry support articles for detailed mitigation instructions.įor BlackBerry Workspaces Server (deployed with Appliance-X) : įor BlackBerry Workspaces Server (deployed with vApp) : Īffected customers should contact their support or professional services representative to acquire an updated release.Ĭlick the following link to download the BlackBerry Good Control Server software update(s).Ĭustomers without an active support agreement can visit BlackBerry’s Support site at for further assistance. The potential impact is additionally mitigated by the requirement that the attacker must have permissions to upload documents. The vulnerability may be mitigated in customer environments that use firewalls to limit access to the AJP ports. Impact if Requirements are met (exploitation results)Ī successful attacker could potentially read the contents of configuration files or execute arbitrary Java Server Pages code. Additionally, an attacker must be able to upload a maliciously crafted file to the server to achieve greater impact. Requirements for Attacker to be SuccessfulĪn attacker must communicate with an Apache JServ Protocol (AJP) port on the server. Who Should Read This Advisory/Apply Software FixesĪdministrators who deploy and support affected products. Good Control Service – this component is responsible for launching and running the Good Control Server on the system. Workspaces Application Server – this component is responsible for the BlackBerry Workspaces application, including web application and the Application Programming Interface ( API ) service.Ĭonversion Server – this component is responsible for converting Microsoft Office files to BlackBerry Workspaces secure format. BlackBerry Workspaces Server (deployed with Appliance-X)
0 Comments
Leave a Reply. |