The security breach is in the Apache JServ Protocol (AJP). This breach allows an intruder, to read files and code in the webapps folder. In some cases, the breach allows to upload executable code.
Caution: KGS products don’t use AJP.
Affected Versions
Apache Tomcat version 6.x (all versions) |
Apache Tomcat version 7.x (before version 7.0.100) |
Apache Tomcat version 8.x (before version 8.5.51) |
Apache Tomcat version 9.x (before version 9.0.31) |
How can I fix it?
You can fix the breach by installing the versions Apache Tomcat version 7.0.100 , 8.5.51 or 9.0.31.
If you do not use the AJP Connector
Step 1:
Find the file server.xml in CATALINA_Base/conf and edit the line:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Step 2:
Commend the line out or delete it:
<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->
Step 3:
Save the edit, and then restart Tomcat.
In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.