Apache Web Server / Ghostcat vulnerability
search cancel

Apache Web Server / Ghostcat vulnerability

book

Article ID: 186130

calendar_today

Updated On:

Products

Vantage Storage Resource Manager GRAPHICAL MANAGEMENT INTERFACE

Issue/Introduction

Due to the new Ghostcat vulnerability in Apache Tomcat’s Apache JServ Protocol (AJP) , our Vantage web clients needs to be shutdown.

Is there a patch yet available for Tomcat that can be provided?

Resolution

After recent vulnerability found with all versions of Tomcat.
 
The issue will be addressed in two stages:
1. Immediate fix ( For customers who ask): Disabling AJP protocol in tomcat. 
2. New PAX: New release is in creation where an upgrade Tomcat to secure version is done, and AJP port is disabled by default.
 
How to disable AJP manually:
 
To disable the AJP connector you should follow these steps:
1. Stop Vantage StoragePoint™ Web Client started task.
2. Navigate to conf folder located in tomcat folder (for example apache-tomcat-x.y.nn/conf).
3. Open server.xml file.
4. Search for AJP connector (<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />).
5. Comment out the AJP connector (<!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->).
6. Save.
7. Start Vantage StoragePoint™ Web Client started task.