View Only
  • 1.  Clarity: Apache Tomcat GhostCat Vulnerability

    Broadcom Employee
    Posted Mar 12, 2020 05:55 AM
    Edited by Christopher Hackett Apr 23, 2020 01:52 PM

    Purpose of the Document

    Review the impact of Apache Tomcat Ghostcat vulnerability with Clarity PPM  and how it can be mitigated.

    What is Apache Tomcat GhostCat Vulnerability?

    The Ghostcat vulnerability exploits the Apache JServ Protocol (AJP) which is generally run on port 8009 and grants an attacker access to deploy or read files from Tomcat directories. This only happens if your AJP connector is exposed over the internet that is to say the AJP connector is bound to an external IP address.

    Which versions of Tomcat are affected?

    The following versions of Tomcat are impacted by this vulnerability:

    • Apache Tomcat 9.x that are below build 9.0.31
    • Apache Tomcat 8.x that are below build 8.5.51
    • Apache Tomcat 7.x that are below build 7.0.100
    • Apache Tomcat 6.x


    All Supported Clarity Environment 

    Review the Impact on your Clarity PPM Implementation

    You can mitigate the risk of Ghostcat vulnerability by identifying, which of the following scenarios is applicable in your enterprise and performing the appropriate actions.

    Scenario 1: You are not using the AJP port in your enterprise. 

    You can simply comment out the AJP protocol section in the server.xml file. Perform the following steps:


    1. Stop and remove all the clarity services
    Service Stop all
    Service remove app bg beacon nsa
    Service start all 

        2. Navigate to the <Tomcat work directory>/conf directory and open the server.xml file.

        3. Find the following line and comment it out.
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

        4.Save your changes and redeploy and start all the clarity services

    Service add deploy app bg beacon nsa
    Service start all 


    Scenario 2: You are using the AJP port in your enterprise.

    If you are using the AJP port in your enterprise, remember that AJP is not a highly trusted protocol. You should never expose the AJP port to untrusted clients because it uses insecure (clear text transmission) and assumes that your network is safe. 


    You can apply the following mitigation in your order of preference:


    • Disable AJP in Tomcat by following the steps mentioned in scenario 1 Point 2
    • Start using HTTP or HTTPS for incoming proxy connections. The HTTP and HTTPS protocols do not contain the same trust issues as AJP.
    • Protect the AJP connection with a secret and review network binding and firewall configurations. Ensure that you allow incoming connections from trusted hosts. If you want to project your AJP connection with a secret, you may have to upgrade Tomcat. Please refer to this link to learn more about changes made by Tomcat to specific versions. 
    • Use only network binding and firewall configuration to ensure incoming connections are only allowed from trusted hosts.

    Additional Information:

    Thanks & Regards
    Suman Pramanik
    Sr. Principal Support Engineer | Customer Success & Support, Enterprise Software Division

  • 2.  RE: Clarity: Apache Tomcat GhostCat Vulnerability

    Posted Mar 13, 2020 01:43 PM
    Thank you for alerting the community Suman!

    Chris Hackett
    Community Manager, Broadcom Enterprise Software Division
    Broadcom Inc.