Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

A serious vulnerability in Tomcat has been discovered and confirmed.

Due to a flaw in the Apache JServ Protocol (AJP) it’s possible for an attacker to read and even modify directories and files within the Tomcat directory-structure. In some cases, the vulnerability even allowed the upload of executable code.

Caution: KGS products don’t use the AJP.

Affected Versions

Apache Tomcat version 6.x (all versions)

Apache Tomcat version 7.x (before version 7.0.100)

Apache Tomcat version 8.x (before version 8.5.51)

Apache Tomcat version 9.x (before version 9.0.31)

How can I fix it?

You can fix the vulnerability by installing / updating your Apache Tomcat installation to version 7.0.100 , 8.5.51 or 9.0.31.

If you do not use other web application that use the AJP you may disable it as stated here:

Step 1:

Find the file server.xml in CATALINA_Base/conf and edit the line:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Step 2:

Commend the line out or delete it:

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

Step 3:

Save the edit, and then restart Tomcat.

In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.

If you use web applications that use the AJP:

Step 1:

Upgrade to the versions 9.0.31, 8.5.51, or 7.0.100.

Step 2:

Configure the attribute “secret”:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET" />

Alternative (without Upgrading):

Step 1:

Configure the attribute “requiredSecret“:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />

Caution: The “YOUR_TOMCAT_AJP_SECRET” is a placeholder which shall be replaced by a strong secret.

  • No labels