Environment
ZENworks Reporting Server Appliance
ZENworks Configuration Management
ZENworks Configuration Management
Situation
CVE-2020-1938 shows up in vulnerability scans against the ZENworks Reporting Server Appliance, ZENworks Configuration Management
Resolution
For ZRS: This is fixed in the next Online Update Security patches for Appliances in the May 2020 cadence.
For ZENworks Configuration Management 2020 Update 1: This is fixed, see TID 7024523 - ZENworks 2020 Update 1 - information and list of fixes.
For 2017.x and 2020 versions of ZCM follow the steps in the workaround below.
Workaround:
Disable the AJP connector - it is not used.
- Stop ZENworks Services
- Create a backup before editing the server.xml fileZRS Appliance Location
- ZRS Appliance Location: /opt/novell/zenworks-reporting/js/apache-tomcat/conf
- ZCM Appliance Location: /vastorage/opt/novell/zenworks/share/tomcat/conf
- Remove (Remark) the following line
- <!-- Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443"/>
- Start the ZENworks Services
Cause
Tomcat Vulnerability CVE-2020-1938
Additional Information
Other ZENworks product server.xml locations
ZCM Windows Location: %ZENWORKS_HOME%\share\tomcat\conf
ZCM Linux Location: /opt/novell/zenworks/share/tomcat/conf
ZCM Appliance Location: /vastorage/opt/novell/zenworks/share/tomcat/conf
ZRS Appliance Location: /opt/novell/zenworks-reporting/js/apache-tomcat/conf
ZSD Appliance Location: /opt/novell/servicedesk/server/conf