On February 27, 2020, the National Vulnerability Database disclosed that a critical security flaw has existed in Apache Tomcat for the past 13 years. The details of this flaw, commonly referred to as Ghostcat, are available in CVE-2020-1938.
This vulnerability was identified in the Apache Tomcat AJP connector, which is used to process the AJP V1.3 protocol. If exploited, this vulnerability would allow an attacker to read the contents of configuration files and source code files of all webapps deployed on Tomcat. This vulnerability could also make it possible for an attacker to remotely execute an uploaded file.
The Tomcat AJP connector enables Catalina, the Tomcat servlet container, to receive external requests and pass them to a web application for processing, and to return the results of a request.
Although Strategy versions 2020, 2019, and 10.4.8 support Tomcat for Strategy Mobile Servers, Strategy Web, and the Strategy Library Server and Rest Server, Strategy does not require the use of this connector or the AJP protocol.
Apache Tomcat has fixed the AJP security flaw in all supported versions. As such, Strategy urges all customers who rely on Tomcat for their Strategy deployments to upgrade their installations to the latest non-vulnerable version of Tomcat. Additionally, since AJP uses listening address
0.0.0.0:8009by default, Strategy strongly advises customers to evaluate services associated with port
8009in their Tomcat configurations.
ZDNet article
Red Hat (including JBOSS).
