Hi Roy,
In general a best practice deployment of Tomcat with an AJP connection
established should limit that connection to specific host over SSL.
For example:
<Connector
port="8009"
protocol="AJP/1.3"
redirectPort="443"
scheme="https"
address="127.0.0.1"
enableLookups="false"
tomcatAuthentication="false"
/>
Has been our practice for some time.
It makes the AJP endpoint much more difficult to access unless the intruder has
already compromised your host, in which case things are already horrible.
I don't think this practice is something in lieu of the patches you posted,
rather even patched a publicly accessible system the AJP connection should be
clamped down in a similar manner.
Nathan
> On Mar 9, 2020, at 8:51 PM, Roy Mendelssohn - NOAA Federal via thredds
> <thredds@xxxxxxxxxxxxxxxx> wrote:
>
> I am surprised this hasn't hit this list already:
>
> "Ghostcat" is a new security vulnerability in Tomcat's AJP Connector that
> potentially allows attackers to take over the server. You can read more about
> the problem at
> •
> https://www.bleepingcomputer.com/news/security/active-scans-for-apache-tomcat-ghostcat-vulnerability-detected-patch-now/
> •
> https://www.esri.com/arcgis-blog/products/arcgis-online/administration/dont-get-bitten-by-ghostcat-tomcat-vulnerability/
> •
> https://securityboulevard.com/2020/02/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and/
> • https://nvd.nist.gov/vuln/detail/CVE-2020-1938
>
> Updates are available for the recent versions of Tomcat to fix this. We have
> updated 2 TDS to Tomcat 8: 8.5.51 with no issues that I can see, but ten
> again we aren't using AJP.
>
> -Roy
>
> **********************
> "The contents of this message do not reflect any position of the U.S.
> Government or NOAA."
> **********************
> Roy Mendelssohn
> Supervisory Operations Research Analyst
> NOAA/NMFS
> Environmental Research Division
> Southwest Fisheries Science Center
> ***Note new street address***
> 110 McAllister Way
> Santa Cruz, CA 95060
> Phone: (831)-420-3666
> Fax: (831) 420-3980
> e-mail: Roy.Mendelssohn@xxxxxxxx www: https://www.pfeg.noaa.gov/
>
> "Old age and treachery will overcome youth and skill."
> "From those who have been given much, much will be expected"
> "the arc of the moral universe is long, but it bends toward justice" -MLK Jr.
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web. Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe, visit:
> https://www.unidata.ucar.edu/mailing_lists/
= = =
Nathan Potter ndp at opendap.org
OPeNDAP, Inc. +1.541.231.3317
