I am surprised this hasn't hit this list already:
"Ghostcat" is a new security vulnerability in Tomcat's AJP Connector that
potentially allows attackers to take over the server. You can read more about
the problem at
•
https://www.bleepingcomputer.com/news/security/active-scans-for-apache-tomcat-ghostcat-vulnerability-detected-patch-now/
•
https://www.esri.com/arcgis-blog/products/arcgis-online/administration/dont-get-bitten-by-ghostcat-tomcat-vulnerability/
•
https://securityboulevard.com/2020/02/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and/
• https://nvd.nist.gov/vuln/detail/CVE-2020-1938
Updates are available for the recent versions of Tomcat to fix this. We have
updated 2 TDS to Tomcat 8: 8.5.51 with no issues that I can see, but ten again
we aren't using AJP.
-Roy
**********************
"The contents of this message do not reflect any position of the U.S.
Government or NOAA."
**********************
Roy Mendelssohn
Supervisory Operations Research Analyst
NOAA/NMFS
Environmental Research Division
Southwest Fisheries Science Center
***Note new street address***
110 McAllister Way
Santa Cruz, CA 95060
Phone: (831)-420-3666
Fax: (831) 420-3980
e-mail: Roy.Mendelssohn@xxxxxxxx www: https://www.pfeg.noaa.gov/
"Old age and treachery will overcome youth and skill."
"From those who have been given much, much will be expected"
"the arc of the moral universe is long, but it bends toward justice" -MLK Jr.