Automic Workload Automation

 View Only
Expand all | Collapse all

Tomcat Vulnerability port 8009

  • 1.  Tomcat Vulnerability port 8009

    Posted Aug 12, 2020 04:30 PM
    Hi,

    I was notified about the Tomcat vulnerability for port 8009 for our Windows Web Servers.  I am on Tomcat 8.5.32.  Internet chatter to resolve this appears to be two solution​. 1. comment out the port 8009 in the server.xml. 2. upgrade to Tomcat 8.5.57.  I took the easy way out by commenting out reference to port 8009 and recycling Tomcat.  I did a netstat -a findstr 8009 and nothing matched.  I also did a netstat -a just to going through the list and verify that port 8009 was not listening.  I also did the same command on a web server where 8009 is still listening and netstat -a showed that port 8009 was listening.  So I believe I resolve the vulnerability, however, I tried to ask Broadcom if Automic AWI uses AJP Apache JServ Protocol.  They said they address the question (upgrade or checking with our network team to see if the issue is resolved by commenting out references to port 8009) and closed the ticket (more like slam the door).

    So my question to the community, does AWI use AJP?  Everything seems to function on the server with the port reference commented out.

    Thanks in advance.


  • 2.  RE: Tomcat Vulnerability port 8009

    Posted Aug 12, 2020 06:27 PM
    Following. 

    We are on tomcat 9.0 and it also has 8009 in server.xml like so;
        <!-- Define an AJP 1.3 Connector on port 8009 -->
        <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


    ------------------------------
    Pete Wirfs
    SAIF Corporation
    Salem Oregon USA
    ------------------------------



  • 3.  RE: Tomcat Vulnerability port 8009

    Posted Aug 13, 2020 02:08 PM
    Thanks Pete.  Then I assume that you also have the same vulnerability ​since port 8009 is enabled?


  • 4.  RE: Tomcat Vulnerability port 8009

    Posted Aug 13, 2020 02:34 PM
    I can only assume the vulnerability exists on my servers.  Most discussions I've found about this vulnerability recommend doing what you did, which is to comment it out in server.xml.   But I sure wish Broadcom would tell us what they recommend.  I might try asking them myself.  @Jared Kessans solution sounds pretty smart too.​

    ------------------------------
    Pete Wirfs
    SAIF Corporation
    Salem Oregon USA
    ------------------------------



  • 5.  RE: Tomcat Vulnerability port 8009

    Posted Aug 13, 2020 02:42 PM
    I just checked the broadcom knowledge-base.  It contains documents that address this vulnerability for various products that they support, but they do not have one for AWA.   Guess I'll open my own ticket on this.

    ------------------------------
    Pete Wirfs
    SAIF Corporation
    Salem Oregon USA
    ------------------------------



  • 6.  RE: Tomcat Vulnerability port 8009
    Best Answer

    Posted Aug 13, 2020 07:45 AM
    Edited by Christopher Hackett Aug 20, 2020 05:04 PM
    We resolved our issue with this in late April, or it at least satisfied the security group as it doesn't show up on any vulnerability reports.  The hosting team handled it by removing authentication and only listen on the local server.

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secretRequired="false" address="127.0.0.1" />

    They said this works since we do not connect to any other server using AJP or externally.




  • 7.  RE: Tomcat Vulnerability port 8009

    Posted Aug 13, 2020 05:12 PM
    Edited by Pete Wirfs Aug 13, 2020 05:12 PM

    Support told me today they are still researching weather or not they need 8009 to be open. In the meantime though, they also observed that these versions of tomcat have had the vulnerability repaired; 9.031, 8.5.51, 7.0.100.   So a tomcat upgrade might be a better option.



    ------------------------------
    Pete Wirfs
    SAIF Corporation
    Salem Oregon USA
    ------------------------------



  • 8.  RE: Tomcat Vulnerability port 8009

    Broadcom Partner
    Posted Aug 14, 2020 01:02 AM
    Port 8009 is not used by the AWI per se.
    But if you configure a LoadBalancer "in front of" the AWI, AJP (on Port 8009) is (usually) used for the communication between the LoadBalancer and the AWIs, because AJP is more efficient than http(s).



    ------------------------------
    Consultant
    System Partners GmbH
    ------------------------------



  • 9.  RE: Tomcat Vulnerability port 8009

    Posted Aug 14, 2020 02:43 AM
    ​Thank you Stefan.  I will check into that since we do have a LoadBalancer in front of the two Tomcat servers.


  • 10.  RE: Tomcat Vulnerability port 8009

    Posted Aug 14, 2020 02:48 AM
    Pete,
    How do you recommend doing the upgrade.  This is what I have run into so far.  If I execute the installer, it will tell me that the service name already exist.  If I unzip the upgrade files, the registry still has the older version information.  I was hoping to avoid having to uninstall Tomcat 8.5.32 and then install 8.5.57 (latest release).​


  • 11.  RE: Tomcat Vulnerability port 8009

    Posted Aug 14, 2020 02:14 PM
    I've never done a tomcat upgrade.  I don't know what issues it might cause?

    ------------------------------
    Pete Wirfs
    SAIF Corporation
    Salem Oregon USA
    ------------------------------



  • 12.  RE: Tomcat Vulnerability port 8009

    Posted Aug 14, 2020 02:31 PM
    I've never done a Tomcat upgrade myself, but our hosting team just upgraded our non-production Tomcat instances on Wednesday.  The only thing I know that they do is that they install to a separate location, but I think they use a symlink so that gets modified to the new location.  I am unsure how they finish the configuration for the load balancer or if by using the symlink that it takes care of it. 

    We then have to deploy the AWI again which we have automated.


  • 13.  RE: Tomcat Vulnerability port 8009

    Posted Aug 24, 2020 12:58 PM
    I completed the Tomcat upgrade on the Windows server to 8.5.57.  I might be wrong, but there didn't seem to be a way to upgrade Tomcat like all other software where it just updates the directory with the new files.  When I tried to installed with existing Tomcat, I got a message that the service was already installed. 

    So I had to uninstall and install the newer Tomcat.  During the uninstall, there is a final message which you need to read carefully.  It will ask if you want to keep configuration files.  You have to answer 'No'.  Yes will delete them.  Of course this assumes that you will install the new version in the same directory.

    I had a problem after the install.  It turns out I copied too much from my documentation in adding the path to the AWI configuration directory (included a ending quote that is not needed.  After correcting that, the upgrade was completed with no issues.  The only change I had to make was to the server.xml since it got replaced.  Prior to the Tomcat install, I backed up the entire directory, so getting the various port information back into the server.xml was easy along with certification information.