| Summary: Xerox DocuShare deployments using the bundled Apache Tomcat AJP connector are affected by CVE-2026-43514. The practical risk depends on whether TCP port 8009 is reachable from untrusted systems. Customers can reduce exposure immediately by restricting access to port 8009 or by changing the AJP connector binding to the local host when no remote bridge is required. |
Affected Products
All currently supported on-premises Xerox DocuShare releases use bundled Apache Tomcat 9.0.x versions that fall within the affected upstream range for CVE-2026-43514. This applies to both Windows and Linux deployments.
Overview
CVE-2026-43514 is an Apache Tomcat timing side-channel issue involving comparison of the shared secret used by the AJP connector. In a standard DocuShare deployment, the AJP connector is enabled on port 8009 and configured to require a secret.
The AJP connector is enabled whether or not an IIS or Apache bridge is installed. By default, it listens on all interfaces unless configuration or firewall controls limit exposure.
A successful attack would require network access to the AJP port and a large number of repeated timing measurements. Because of that, practical exploitability is lower when internal ports are not exposed to untrusted networks.
Risk Assessment
| Assessment Item | Finding |
| AJP connector default state | Enabled by default in the DocuShare Tomcat configuration on TCP port 8009 and listening on all interfaces unless changed. |
| Authentication on AJP | Configured to require a shared secret. |
| Primary exposure condition | Port 8009 is reachable from untrusted or unnecessary network locations. |
| Practical exploitability | Low to moderate in most environments, but the default out-of-box configuration leaves the connector network-reachable unless the deployment is separately hardened. |
| Immediate mitigation | Restrict access to TCP port 8009 or change the AJP connector binding to 127.0.0.1 when no remote bridge depends on it. |
| Important: Customers do not need to wait for a future DocuShare maintenance release to reduce exposure from this CVE. The recommended mitigations below address the reachable attack surface immediately. |
Recommended Actions
Choose the mitigation that matches your deployment model.
Option A: Restrict access to TCP port 8009
- Use host or network firewall rules to allow TCP port 8009 only from the specific trusted host or hosts that require AJP access.
- If no remote IIS or Apache bridge requires AJP, block access to TCP port 8009 from all remote systems.
- Review any server build or firewall exceptions that expose TCP port 8009 more broadly than intended.
Option B: Bind the AJP connector to the local host
- Use this option only when your DocuShare server does not rely on a remote IIS or Apache bridge on another host.
- Open tomcat/conf/server.xml and locate the AJP connector for port 8009.
- Find the existing address="::" attribute on that connector.
- Change that attribute to address="127.0.0.1".
- Save the file and restart the DocuShare services so the change takes effect.
| Re-verify after upgrades: After applying a DocuShare upgrade, re-check the AJP connector address using the validation steps below. A full upgrade that lays down a fresh server.xml template may restore the default address setting. |
How to Check Your Deployment
- Open tomcat/conf/server.xml and locate the AJP connector entry for port 8009.
- Check whether the connector is bound to all interfaces or to a specific loopback address such as 127.0.0.1 or [::1].
- On Windows, run netstat -ano | findstr :8009 to confirm whether the port is listening.
- On Linux, run ss -ltn | grep 8009 or netstat -ltn | grep 8009 to confirm whether the port is listening.
- If the port is listening on a non-loopback address, verify that host or network firewall rules limit access to trusted systems only.
- If your environment uses an IIS or Apache bridge on another host, confirm that only that trusted host can reach TCP port 8009.
Resolution Status
Xerox will provide updated customer guidance as newer DocuShare maintenance levels become available. Until then, the mitigations above are the recommended way to reduce exposure from CVE-2026-43514 in current DocuShare deployments.