All versions of Percussion CMS products ship with various versions of Apache Tomcat depending up on the product version and patch level.
A recent security vulnerability: GhostCat/CVE-2020-1938 was reported that affects the AJP connector that is enabled by default in Tomcat’s configuration.
Percussion products do not use the AJP connector by default and this security issue can be mitigated by editing the following files:
Versions: Percussion CM1 1.0 - 5.3, Percussion Rhythmyx 5.7 - 7.3.2
File: /AppServer/server/rx/deploy/jboss-web.deployer/server.xml
Comment out the AJP connector using XML / HTML comments. (see example)
<!-- <Connector address="${jboss.bind.address}" emptySessionPath="true" enableLookups="false" port="9998" protocol="AJP/1.3" redirectPort="8443"/> -->
Versions: Percussion DTS 1.0 - 5.3
Production DTS:
Comment out the following lines in: Deployment/Server/conf/server.xml.
<!-- Define an AJP 1.3 Connector on port 8009
<Connector port="9982" protocol="AJP/1.3" redirectPort="8443" xpoweredBy="false" address="0.0.0.0"/>
-->
Staging DTS:
Comment out the following lines in: Staging/Deployment/Server/conf/server.xml.
<!-- Define an AJP 1.3 Connector on port 8009
<Connector port="9982" protocol="AJP/1.3" redirectPort="8443" xpoweredBy="false" address="0.0.0.0"/>
-->
After saving these changes and stopping then starting the Percussion services, this vulnerability will be closed.
Note that some security scanners may still pick up the pattern, even if it is commented out, in that case the AJP entries can be deleted.
5.3 Patch 5315_20200310 ships with Tomcat 7.0.100 which mitigates this vulnerability.
CM1 5.4 ships with Tomcat 9.0.31 which also mitigates this vulnerability
Rhythmyx Patch 732_2020310 ships with AJP commented out, but is also mitigated by running the Jetty application server instead of the legacy JBOSS application server on the 7.3.2 version.