SUSE Linux Enterprise Server for SAP 12-SP3 (src): tomcat-8.0.53-29.22.1
#Tomcat bugzilla update
SUSE-SU-2020:0725-1: An update that fixes one vulnerability is now available. (Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value that cannot be easily guessed or cracked.) If you can’t do upgrade, you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials.
#Tomcat bugzilla upgrade
If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.Ģ. (3)Save the edit, and then restart Tomcat. What versions of the Tomcat are affected ?Īpache Tomcat 9.x /conf/server.xml,find the following line ( is the Tomcat work directory):
#Tomcat bugzilla code
In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution. It can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering or reverse proxy.īy exploiting the Ghostcat vulnerability, an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat.
The AJP protocol can be understood as a performance optimized version of the HTTP protocol in binary format. The AJP Connector uses the AJP protocol (Apache Jserv Protocol). HTTP Connector is used to provide HTTP Web services that we often use. HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080ĪJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009 It enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.īy default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector: Tomcat Connector is the channel for Tomcat to connect to the outside. This vulnerability affects all versions of Tomcat in the default configuration (when we found this vulnerability, it was confirmed that it affected all versions of Tomcat 9/8/7/6, and older versions that were too old were not verified), which means that it has been dormant in Tomcat for more than a decade. Why is this vulnerability called Ghostcat ? In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability. For example, An attacker can read the webapp configuration files or source code. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. It has been used for more than 20 years since its initial release. Java is currently the most popular programming language in Web development, and Tomcat is one of the most popular Java middleware servers. This way new installations will have to enable the AJP connector manually if really needed.Įxisting installations that rely on the default configurations will have to enable it manually.Įxisting installations using AJP with a custom configuration won't be impacted. change the default of "secretRequired" to "false". To avoid disrupting SUSE Manager and reduce the impact on other Tomcat installations that rely on AJP I'm proposing to:
Upgrading to a Tomcat version that includes this fix would make the application unavailable. This change will impact SUSE Manager because it's using the AJP connector. If the "secret" attribute is empty Tomcat will refuse to start the AJP connector. The default value for secretRequired is "true". The secret must be set both in the Tomcat config and and in the Apache config. Upstream recommends either disabling the AJP connector if it's not used or changing the configuration of the AJP connector to use secretRequired="true" and setting secret=".".
0 kommentar(er)
