A critical vulnerability, CVE-2020-1938, was identified in Tomcat servers; however, this vulnerability does not have any impact on Data360 Analyze.
While Data360 Analyze does use Tomcat, our default Tomcat configuration has AJP disabled. With AJP disabled, this vulnerability doesn't exist within the embedded Tomcat server.
Comments
2 comments
Can you confirm the same for https://nvd.nist.gov/vuln/detail/CVE-2020-9484 please? Is there a folder/location where I can track all these or is Tips & Tricks the location?
The advisory states that "Note that all of conditions a) to d) must be true for the attack to succeed." This is not the case for Data360 Analyze so CVE-2020-9484 does not have any impact on Data360 Analyze.
We have an ongoing program to assess the impact of vulnerabilties identified in components utilised in Data360 Analyze. This results in the patching or upgrading of supported products in line with Product Vvulnerability Patching Standard. These changes are not typically enumerated in detail on the support forum or in product release notes. However, when a specific inquiry is made by a customer (e.g. via the forum or in a support ticket) then we will provide a response.
Please sign in to leave a comment.