cvirata
Community Manager Community Manager
Community Manager

[RESOLVED]: Notice of FlexNet Code Insight Security Vulnerabilities

Updated:

This post is an update for the Tomcat Ghostcat vulnerability with respect to FlexNet Code Insight v6.x.

SCA-24085: Tomcat Vulnerability

The Tomcat vulnerability CVE-2020-1938 (with a base score of 9.8, considered “critical”) affects the current Apache Tomcat version installed by FlexNet Code Insight. The vulnerability is the result of the Apache JServ Protocol (AJP) connection, which uses the 8009 port by default. Tomcat treats an AJP connections as having higher trust than HTTP connections. If such connections are available to an attacker, they can be exploited in unexpected and damaging ways.

For more information about this vulnerability (including a list of all affected Tomcat versions), access the following site: https://nvd.nist.gov/vuln/detail/CVE-2020-1938.

FlexNet Code Insight v6.x is currently on using Apache Tomcat 7.0.94 and is affected with the above vulnerability.

Recommended Solution: Upgrade your instance to FlexNet Code Insight 6.14.1, currently planned for early June 2020. This release will be upgraded to use Apache Tomcat 7.0.103.

Workarounds

Since FlexNet Code Insight does not require the APJ connector, it can be disabled by using the instructions
described in Workaround #1 below. An alternate option to avoid the vulnerability is to simply block the 8009 port as described in Workaround #2.

Workaround #1: Disable the APJ connector

Since Code Insight does not require the APJ connector, it can be disabled. Once the connector is disabled, you can continue to use port 8009.

To disable the APJ connector, follow these steps:

  • Open the appropriate Tomcat configuration file in a text editor:
    • On Windows, open {CODEINSIGHT_ROOT_DIR}\tomcat\conf\server.xml
    • On Linux, open /etc/tomcat9/server.xml
  • Search for the string 8009, and comment out the line about AJP protocol, as shown in the highlighted text:
    • <!-- Define an AJP 1.3 Connector on port 8009 -->
    • <!-- Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
  • Save the file
  • Restart the Apache Tomcat service

Workaround #2: Block port 8009 for incoming connections on your firewall

Use the appropriate method to block the port.

On Windows: A Windows server usually blocks the port by default, but you can create an explicit rule to ensure that port 8009 is blocked on your firewall. To block the port on Windows, use these steps:

  • Create a rule that blocks all inbound connections on port 8009
  • To ensure that the port is blocked, run the following command: netstat -ano | findstr 8009
  • If the port is no longer active, you receive negative results

On Linux: To block the port on Linux, use these steps:

  • Use your security product or the Linux iptables utility to block port 8009
  • If you use the iptables utility, use the following command to block the port: iptables -A INPUT -j DROP --destination-port 8009
  • To ensure that the port is blocked, run the following command: ss -a | grep 8009
  • If the port is no longer active, you receive negative results

 

Updated:

This post is an update to our Feb 24th notification, alerting you of two security vulnerabilities identified in our FlexNet Code Insight solution. We are happy to inform you that the FlexNet Code Insight 2020 R1 SP1 release is now available on our Flexera Product and License Center. This service pack addresses the two security vulnerabilities originally identified.

 

Cross-Site Scripting (XSS) Vulnerability

This vulnerability impacts all FlexNet Code Insight v7 releases up to an including 2020 R1. It has been reviewed by our security team and has been assigned a CVSS v3 core of 3.4 (LOW Severity). The re-scoring was based on the fact that access to FlexNet Code Insight requires network access (LAN) and authentication to a security sensitive product. Furthermore, the actual execution happens in the web browser, which is a different scope from the application itself.

Elevated Privileges Vulnerability

This vulnerability impacts all FlexNet Code Insight v7 releases up to and including 2020 R1. It has been reviewed by our security team and has been assigned a CVSS v3 core of 8.0 (HIGH Severity). The re-scoring was based on the fact that access to FlexNet Code Insight requires network access (LAN) and authentication to a security sensitive product.

During the development of this service pack, the Tomcat vulnerability known as Ghostcat was also reported. To reinforce our commitment to product quality and security, we’ve published two workaround options that can be applied immediately while we work on upgrading the bundled Tomcat version for the next release of FlexNet Code Insight.

Tomcat Vulnerability (Ghostcat)

The Tomcat vulnerability CVE-2020-1938 (with a base score of 9.8, considered “critical”) affects the current Tomcat version installed by FlexNet Code Insight. The vulnerability is the result of the Apache JServ Protocol (AJP) connection, which uses the 8009 port by default. Tomcat treats an AJP connections as having higher trust than HTTP connections. If such connections are available to an attacker, they can be exploited in unexpected and damaging ways. For more information about this vulnerability (including a list of all affected Tomcat versions), access the following site:

https://nvd.nist.gov/vuln/detail/CVE-2020-1938.

We are working on upgrading the bundled version of Apache Tomcat for the FlexNet Code Insight 2020 R2 and v6.11.1 releases. Meanwhile, since FlexNet Code Insight does not require the APJ connector, it can be disabled by following the detailed instructions in the FlexNet Code Insight 2020 R1 SP1 Release Notes. Our QA team is also verifying the workaround steps for the FlexNet Code Insight v6.x releases and will provide an update in a few days.

 

For more information about this service pack, please see the FlexNet Code Insight 2020 R1 SP1 release notes located in our Product and License Center.

If you have any questions, you can either post them to this thread or reach out to your trusted Flexera contact.
 
Your FlexNet Code Insight Team

Original Post February 24, 2020

This notice is to inform you of two product vulnerabilities discovered in our FlexNet Code Insight solution. The first is a cross-site scripting (XSS) vulnerability, which impacts FlexNet Code Insight v7.x. The second is an elevated privileges vulnerability, which impacts both FlexNet Code Insight v7.x and v6.x. We'd like to thank Goutham Madhwaraj for discovering the vulnerabilities and reporting them to Flexera using responsible disclosure processes.

Due to the sensitive nature of security vulnerabilities, no further details about the vulnerabilities themselves will be published. If you have any questions about the specifics, please reach out to your Customer Success Manager.

As your trust in our ability to provide you high-quality, reliable, and secure products is of great importance to us, we are working to address these issues as quickly as possible. We are targeting a FlexNet Code Insight v7.x hotfix in late March to resolve both issues. For FlexNet v6.x, we are exploring solution options and will post another communication once we have a plan in place.

We have also reviewed our current security testing practices and are refining areas we feel we can improve. This will help prevent future security vulnerabilities.

If you know of team members in your organization who should be made aware of these issues, please either forward this post or point them in the direction of our Customer Success team.

We apologize for any dissatisfaction this causes and appreciate your continued patience as we work through these issues.

Your FlexNet Code Insight Team

Labels (3)
0 Replies