Ghostcat vulnerability
March 4, 2020

GhostCat High-Risk Vulnerability Tomcat: What You Need to Know

Open Source

What is GhostCat?

The GhostCat vulnerability is a serious security flaw, however, it is easily rectifiable. You may have heard about it or have been affected by the security flaw already. How can you prevent your Apache Tomcat web server from being affected? 

If you are forced to use AJP or the Apache JServ Protocol, you will be vulnerable. Very few situations require the use of a binary protocol. If you are proxying to your server via the AJP port, enable the HTTP port and proxy traffic using the HTTP (or HTTPS) protocol. The key step is to disable the AJP port. 

How to Determine If You Are Vulnerable

Checking the log file (catalina.out by default, or the service name if running on Windows) or the configuration file is the best way to determine if the server is vulnerable. The log file has an entry for initializing protocols, with the package:

org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler

The entry for the AJP protocol looks like this:

org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-xxxxxxxxxxx -8009"]

8009 is the default port for the AJP protocol endpoint.  If there is an entry in your log file that includes “ajp” and “initializing”, the server is vulnerable.

Also, check the server.xml file. The endpoint for AJP is enabled or disabled in the server.xml file.

Below we see the default example that ships with the server.xml in the 9.0.31 release. AJP is disabled by default. 

   <!-- Define an AJP 1.3 Connector on port 8009 -->
   <Connector protocol="AJP/1.3"
              redirectPort="8443" />

How to Prevent Unauthorized Access 

In order to prevent unauthorized access, simply disable the AJP endpoint. This is done by deleting or commenting out the entry in the server.xml file. 

Firewalls will also assist with preventing access to the server. If traffic is blocked on the default AJP port, port 8009, there is no way to leverage this vulnerability. 

After updating the server.xml the server will require a restart. When the server starts, ensure AJP is not enabled by watching the log file. During the initialization of protocols, AJP should not be there, just HTTP, and/or HTTPS. 

Scanning for open ports on the Tomcat server will also indicate if there is an AJP port open.

Getting Help with Your Apache Server

If you would like to know more or have questions, please feel free to email me, [email protected]. Our team at OpenLogic by Perforce is also ready to help you get your Apache Tomcat servers secure and supported. Connect with an open source expert today.