Security issue: Vulnerability in Apache Tomcat versions before 9.0.31, 8.5.51 and 7.0.100
Attack scenario: It is possible that files can be read and code may be executed. The attack takes place via the "AJP Connector Service", which is accessible by default under port 8009/tcp.
Affected: Different DRACOON services
Description: Many server-side DRACOON services use Apache Tomcat, but the "AJP Connector Service" is not used by default in any DRACOON service.
Mitigating factors: At the current time, we are not aware of any case in which the "AJP Connector Service" is used or has been used in a DRACOON service. In all environments supported by DRACOON, the port is not accessible and the vulnerability is therefore not exploitable according to current knowledge.
Impact on on-premise installations: Customers who operate DRACOON on their own responsibility and/or on their own servers are only affected if port 8009/tcp has been made available (to the outside) contrary to DRACOON's standard recommendations. Normally the affected port is blocked by a local firewall (e.g. firewalld) for access from outside.
It is also recommended fundamentally all servers and their services to be updated at regular intervals. This applies in particular as soon as updates have been made available for already installed DRACOON services.
Due to their configuration, DRACOON services are not vulnerable to the attack vector described in CVE-2020-1938 according to current knowledge, therefore an update is not time-critical. Nevertheless, DRACOON follows the recommendation of the CVE/Tomcat developers and will release updates for all services that use Apache Tomcat internally in the coming days.