ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Tomcat Vulnerability Detected APJ connector Web Viewer 12.1 Ghostcat

book

Article ID: 187226

calendar_today

Updated On:

Products

Output Management Web Viewer

Issue/Introduction

Our internal 3rd Party Vulnerability team detected a vulnerability in Tomcat on the OM Web Viewer Servers. Please provide information to remediate this issue or guidance on the remediation.

The threat indicates that Apache Tomcat fixed a vulnerability that allows an attacker to read any webapps files. If the Tomcat instance support file uploads, the vulnerability could also be leveraged to achieve remote code execution. Also known as 'Ghostcat'.

Affected versions are:

Apache Tomcat 9.0.0 through 9.0.30

Apache Tomcat 8.5.0 through 8.5.50

Apache Tomcat 7.0.0 through 7.0.99

QID Detection Logic (Unauthenticated)

The QID sends an AFP payload with respect to web.xml file. Note: Tomcat version 8.0.x are found affected by this during investigation.

Remediation Notes: Updated versions of Apache Tomcat are available that fix these vulnerabilities. Workaround is to temporarily disable the AJP protocol port.

There are already patches available on https://tomcat.apache.org/

 

Environment

Release : 12.1

Component : OUTPUT MANAGEMENT WEB VIEWER FOR ALL PLATFORMS

Resolution

 
Workaround 
Edit the server.xml file and comment out the section referencing the AJP connector as follows:
 
    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <!--                                        <==start comment
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->                                         <==end comment

Additional Information

Sustaining Engineering is working on the Tomcat 9.0.54 resolution.