How to fix Apache Tomcat security Vulnerability issue CVE-2020-1938?

 

Component: Tomcat | Version: lower than Bonita 7.11

First of all, the good news is that the Tomcat version 8.5.53 embedded in Bonita 7.11 includes the fix for CVE-2020-1938. Great news right?

As per official Apache Tomcat Release note, this vulnerability has been fixed in the Apache Tomcat version 8.5.51.

What are my options to fix this in my Bonita?

The problem is that Bonita version lower than 7.11, include Tomcat versions that aren't fixed (version 8.5.40 and lower). Thus, the vulnerability isn't fixed in these version.

So your options are the following:

  1. Of course, the best one is to migration to Bonita 7.11+ Bundle.
  2. But if you can't, then you could patch your current tomcat / bundle, see an example here: Fixing The Ghostcat Vulnerability CVE-2020-1938.

But as you know, migrating to the latest Bonita version is always the best option! We encourage you to upgrade to our latest version to benefit from this fix and many other bug fixes and feature enhancements.

Have fun with Bonita!