GhostCat  Vulnerability Issue (CVE-2020-1938) 

When using Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to Tomcat 9.0.31, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.

Prior to this vulnerability report, the known risks of an attacker being able to access the AJP port directly were:

• bypassing security checks based on client IP address
• bypassing user authentication if Tomcat was configured to trust authentication data provided by the reverse proxy

This vulnerability report identified a mechanism that allowed the following:

• returning arbitrary files from anywhere in the web application including under the WEB-INF and META-INF directories or any other location reachable via ServletContext.getResourceAsStream()
• processing any file in the web application as a JSP

Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible.

Please refer to the following URL for more details 
https://www.chaitin.cn/en/ghostcat
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31

How it effects TIBCO ActiveMatrix Service Grid and TIBCO Enterprise Platform
This particular vulnerability affects all versions of Tomcat currently used by TIBCO ActiveMatrix Service Grid  and TIBCO ActiveMatrix Service Bus.
Update the existing version of Apache Tomcat® 7.0.91/7.0.90 in TIBCO ActiveMatrix Service Grid and TIBCO Enterprise Platform to disable the Apache Tomcat® AJP Connector will overcome this vulnerability.  Apache Tomcat® AJP Connector  is used by TIBCO ActiveMatrix Service Performance Manager (SPM) Dashboard, which is embedded in TIBCO ActiveMatrix Service Grid.

Steps to disable Apache Tomcat® AJP Connector

1. Take a backup of the existing server.xml file <TIBCO_HOME>\amxspmdashboard\<version>\amxdashboard\tomcat\conf\server.xml

2. Open the original server.xml file in above location and either delete or comment out the following line for the AJP Connector.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

3. Save the server.xml file.

4. Restart the ActiveMatrix Service Performance Manager (SPM) Dashboard (to effectively restart Tomcat server).