CVE-2020-1938 Ghostcat Vulnerability Fix for Datafari

[Cedric Ulmer]

Hi Datafarians,

A recently discovered vulnerability on several Apache Tomcat versions may be affecting your Datafari CE installs. You have two ways to mitigate it:

Option 1: Remove your current install (or manually migrate, but this depends on your version and what you have done on it) and use the latest Datafari CE release, namely 4.4.1 that includes the fix

Option 2: Apply yourself the fix on your own install, since it is fairly easy.

In case you select option 1: Go to https://www.datafari.com/en/download.html and make your choice (the OVA has also been patched)

In case you prefer option 2: Here is what you need to modify:

Go to datafari-tomcat-mcf/conf/server.xml and replace this line:    

• <Connector port="@AJP_PORT@" protocol="AJP/1.3" redirectPort="@SSL_PORT@" /> 
• with the following:
• <!-- <Connector port="@AJP_PORT@" protocol="AJP/1.3" redirectPort="@SSL_PORT@" /> -->

Go to datafari-tomcat/conf/server.xml and replace this line:    

• <Connector port="@AJP_PORT@" protocol="AJP/1.3" redirectPort="@SSL_PORT@" /> 
• with the following:
• <!-- <Connector port="@AJP_PORT@" protocol="AJP/1.3" redirectPort="@SSL_PORT@" /> -->

And with this you are done !

For more info about the CVE-2020-1938 vulnerability, you can go to: https://nvd.nist.gov/vuln/detail/CVE-2020-1938

Regards,

Cedric