The Ghostcat vulnerability described in https://nvd.nist.gov/vuln/detail/CVE-2020-1938 is based on the Apache JServ Protocol (AJP), which is enabled by default in Apache Tomcat directly obtained from Apache http://tomcat.apache.org/.
Intershop uses the Apache Tomcat as Application Server, but the default configuration shipped with Intershop 7 does not use the Apache JServ Protocol (AJP). Therefore, Intershop's Application Server is not affected by the Ghostcat vulnerability.
Please see the following Q&A section for details.
Q: Is Intershop 7 affected by the Ghostcat vulnerability?
A: No, to exploit the Ghostcat vulnerability, the Apache JServ Protocol (AJP) must be enabled. In the default configuration shipped with Intershop 7, the Apache JServ Protocol (AJP) is disabled. Therefore, Intershop 7 is not affected by the Ghostcat vulnerability.
Q: When using Apache JServ Protocol (AJP) additionally to the default configuration, is Intershop 7 vulnerable now?
A: Even if AJP is used in custom projects, the vulnerability cannot be exploited as the Apache Tomcat is not used as front end (nor back end) service. Rather, the Webadapter extension of Apache Webserver is doing the “front-end/back-end” work. That means the Tomcat is not accessible via the internet and cannot be reached to exploit the vulnerability.
Q: Can I update the Apache Tomcat in Intershop 7 to a version that fixes the Ghostcat vulnerability?
A: Intershop 7 uses an extended version of Apache Tomcat. So, it is not possible to update the Tomcat directly.
Q: When will Intershop provide an Apache Tomcat version that fixes the Ghostcat vulnerability?
A: Intershop will not update the Tomcat for Intershop 7.10 and below, as long there are no security issues found, which are related to Intershop setup. Starting with Intershop 7.11 the Tomcat version will be updated. Additionally, the extension of the special Intershop Tomcat version will be removed to increase the compatibility and upgradability significantly.
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.