Purpose of the Document

Review the impact of Apache Tomcat Ghostcat vulnerability with Clarity and how it can be mitigated.

What is Apache Tomcat GhostCat Vulnerability?

The Ghostcat vulnerability exploits the Apache JServ Protocol (AJP) which is generally run on port 8009 and grants an attacker access to deploy or read files from Tomcat directories. This only happens if your AJP connector is exposed over the internet that is to say the AJP connector is bound to an external IP address.

Which versions of Tomcat are affected?

The following versions of Tomcat are impacted by this vulnerability:

• Apache Tomcat 9.x that are below build 9.0.31
• Apache Tomcat 8.x that are below build 8.5.51
• Apache Tomcat 7.x that are below build 7.0.100
• Apache Tomcat 6.x

Review the Impact on your Clarity PPM Implementation

You can mitigate the risk of Ghostcat vulnerability by identifying, which of the following scenarios is applicable in your enterprise and performing the appropriate actions.

Scenario 1: You are not using the AJP port in your enterprise. 

You can simply comment out the AJP protocol section in the server.xml file. Perform the following steps:

1.  Stop and remove all the clarity services
   • Service Stop app bg beacon nsa
   • Service remove app bg beacon nsa
2. Navigate to the <Tomcat work directory>/conf directory and open the server.xml file.
3. Find the following line and comment it out.
   • <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
4. Save your changes and redeploy and start all the clarity services
5. Service add, deploy and start all 
   
   • Service add deploy app bg beacon nsa
   • Service start app bg beacon nsa

Scenario 2: You are using the AJP port in your enterprise.

If you are using the AJP port in your enterprise, remember that AJP is not a highly trusted protocol. You should never expose the AJP port to untrusted clients because it uses insecure (clear text transmission) and assumes that your network is safe. 

 You can apply the following mitigation in your order of preference:

•  Disable AJP in Tomcat by following the steps mentioned in scenario 1 Point 2
• Start using HTTP or HTTPS for incoming proxy connections. The HTTP and HTTPS protocols do not contain the same trust issues as AJP.
• Protect the AJP connection with a secret and review network binding and firewall configurations. Ensure that you allow incoming connections from trusted hosts. If you want to project your AJP connection with a secret, you may have to upgrade Tomcat. Please refer to this link to learn more about changes made by Tomcat to specific versions. 
• Use only network binding and firewall configuration to ensure incoming connections are only allowed from trusted hosts.

Note: Clarity SaaS is not impacted by the Apache Tomcat Ghostcat vulnerability since Clarity SaaS does not use or expose the AJP port.