ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Clarity: Apache Tomcat GhostCat Vulnerability

book

Article ID: 186349

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

Purpose of the Document

Review the impact of Apache Tomcat Ghostcat vulnerability with Clarity PPM  and how it can be mitigated.

What is Apache Tomcat GhostCat Vulnerability?

The Ghostcat vulnerability exploits the Apache JServ Protocol (AJP) which is generally run on port 8009 and grants an attacker access to deploy or read files from Tomcat directories. This only happens if your AJP connector is exposed over the internet that is to say the AJP connector is bound to an external IP address.

Which versions of Tomcat are affected?

The following versions of Tomcat are impacted by this vulnerability:

  • Apache Tomcat 9.x that are below build 9.0.31
  • Apache Tomcat 8.x that are below build 8.5.51
  • Apache Tomcat 7.x that are below build 7.0.100
  • Apache Tomcat 6.x

 

Cause

Apache Tomcat GhostCat Vulnerability CVE-2020-1938 NATIONAL VULNERABILITY DATABASE

Environment

All Supported Clarity Environment 

Resolution

Review the Impact on your Clarity PPM Implementation

You can mitigate the risk of Ghostcat vulnerability by identifying, which of the following scenarios is applicable in your enterprise and performing the appropriate actions.

Scenario 1: You are not using the AJP port in your enterprise. 

You can simply comment out the AJP protocol section in the server.xml file. Perform the following steps:

 

  1. Stop and remove all the clarity services
Service Stop all
Service remove app bg beacon nsa
Service start all 

    2. Navigate to the <Tomcat work directory>/conf directory and open the server.xml file.

    3. Find the following line and comment it out.
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

    4.Save your changes and redeploy and start all the clarity services

Service add deploy app bg beacon nsa
Service start all 

 

Scenario 2: You are using the AJP port in your enterprise.

If you are using the AJP port in your enterprise, remember that AJP is not a highly trusted protocol. You should never expose the AJP port to untrusted clients because it uses insecure (clear text transmission) and assumes that your network is safe. 

 

You can apply the following mitigation in your order of preference:

 

  • Disable AJP in Tomcat by following the steps mentioned in scenario 1 Point 2
  • Start using HTTP or HTTPS for incoming proxy connections. The HTTP and HTTPS protocols do not contain the same trust issues as AJP.
  • Protect the AJP connection with a secret and review network binding and firewall configurations. Ensure that you allow incoming connections from trusted hosts. If you want to project your AJP connection with a secret, you may have to upgrade Tomcat. Please refer to this link to learn more about changes made by Tomcat to specific versions. 
  • Use only network binding and firewall configuration to ensure incoming connections are only allowed from trusted hosts.





Additional Information

Note: Clarity PPM SaaS is not impacted by the Apache Tomcat Ghostcat vulnerability since Clarity PPM SaaS does not use or expose the AJP port.