cancel
Showing results for 
Search instead for 
Did you mean: 

Detection of Apache Tomcat Web Socket DOS vulnerability on the Tomcat component of SAP BO BI

0 Kudos

We are using the SAP BusinessObjects Business Intelligence client version 4.1 application whose main purpose is to provide reports for BMC Truesight Tool users. However, there is a vulnerability detected for the Apache Tomcat component of this application by the Qualys Scanning Tool.

Vulnerability details below.

CVE ID: CVE-2020-13935

Vulnerability name: Apache Tomcat WebSocket Denial of Service Vulnerability

Port on which vulnerability is detected: 8080

Server OS: Windows Server 2012 R2 Datacenter 64 bit Edition

I generally understand from few blogs, this vulnerability can be remediated by upgrading the Tomcat to a non-vulnerable version. However, it would be good if the SAP community help me to remediate this vulnerability with detailed steps.

Thanks and Regards,

Karthik Vijayan

former_member30
Community Manager
Community Manager
0 Kudos

Hi and welcome to the SAP Community!

Thank you for visiting SAP Community to get answers to your questions. Since you're asking a question here for the first time, I recommend that you familiarize yourself with https://community.sap.com/resources/questions-and-answers (if you haven't already), as it provides tips for preparing questions that draw responses from our members. For example, you can outline what steps you took to find answers (and why they weren't helpful) and share screenshots of what you've seen/done. The more details you provide, the more likely it is that members will be able to assist you.

Should you wish, you can revise your question by selecting Actions, then Edit (although once someone answers your question, you'll lose the ability to edit the question -- but if that happens, you can leave more details in a comment).

Finally, if you're hoping to connect with readers, please consider adding a picture to your profile. Here's how you do it: https://www.youtube.com/watch?v=F5JdUbyjfMA&list=PLpQebylHrdh5s3gwy-h6RtymfDpoz3vDS. By personalizing your profile with a photo of you, you encourage readers to respond.

Cheers,

Julia SAP Community Moderato

Accepted Solutions (0)

Answers (3)

Answers (3)

ayman_salem
Active Contributor
0 Kudos

SAP BusinessObjects Business Intelligence Platform is not subject to this CVE.

see KBA 2498770 - Tomcat vulnerabilities (CVE-*) NOT impacting SAP BusinessObjects Business Intelligence Platform XI 3.1 /4.0 /4.1 /4.2

denis_konovalov
Active Contributor
0 Kudos

Per SAP Note https://launchpad.support.sap.com/#/notes/2498770
Tomcat and SAP Business Intelligent platform is not affected by this CVE

As to your question for steps -- its a vulnerability that is fixed by upgrade, so there are no steps.
You have to upgrade if you're using non-SAP supplied tomcat.
How to upgrade tomcat can be found on http://tomcat.apache.org/

If you want to upgrade tomcat SAP provides as part of its product - best way is to follow regular SAP maintenance process, alternatively you can use https://launchpad.support.sap.com/#/notes/2232191 (with disclaimer)

former_member263415
Active Participant
0 Kudos

Hi Kathik,

If you are using the Tomcat which is shipped with BI 4.1 (bundled), then that Tomcat version is not affected with this vulnerability.

You can refer to KBA below and search for the CVE number

https://launchpad.support.sap.com/#/notes/2498770

Regards,

Sharvari