Article ID: 81342
Article Type: Technical Reference
This article discusses the AJP Request Injection and potential Remote Code Execution dubbed 'Ghostcat' (CVE-2020-1938).
Commvault software is not affected by CVE-2020-1938, as by default in the server.xml under the apache folder, the AJP protocol commented out and therefore disabling any AJP functionality.
The Apache Tomcat Server is automatically installed during the installation of our software if it is not already installed.
Note: Manually upgrading the Apache Tomcat Server is not supported. Commvault strives to update the Tomcat software with the latest security updates, so that the components using the Tomcat server are free from any vulnerabilities reported by the open-source community.