ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Ghostcat vulnerability querry regarding Rally and Tomcat

book

Article ID: 186407

calendar_today

Updated On:

Products

CA Agile Central On Premise (Rally)

Issue/Introduction

Due to the recent announcement of the Ghostcat vulnerability in Tomcat, Rally On-prem customers are checking all services to ensure they aren't affected.

 

Cause


Ghostcat in itself is a Local File Include/Read vulnerability and not an Arbitrary File Upload/Write vulnerability. On the Apache Tomcat Security Advisory page, Ghostcat is described as “AJP Request Injection and potential Remote Code. Ghostcat vulnerability affects all versions of Tomcat in the default configuration, it was confirmed that it affected all versions of Tomcat 9/8/7/6, and older versions that were too old were not verified.

Environment

Release : 2018.1

Component : AGILE CENTRAL ON PREMISES

Resolution

Please note that we (Rally On-Prem) do not use Tomcat services, therefore we are not affected