Addressing the Apache Tomcat “Ghostcat” vulnerability on Azure

Jason

March 10th, 2020

A security vulnerability, Ghostcat, was announced on Friday, February 28th affecting all Apache Tomcat versions. Ghostcat exploits the Apache Jserv Protocol connector to read and write files to a Apache Tomcat server. The Apache Tomcat security release states “[the] mitigation is only required if an AJP port is accessible to untrusted users.” Please follow the instructions below to assess and address your vulnerability.

App Service

The AJP connector is disabled on all Apache Tomcat installations on both App Service Linux and Windows. If you have not edited the server.xml, then your Apache Tomcat application is not vulnerable.

If you have edited your server.xml, follow these instructions to address your vulnerability:

Search your server.xml for the following XML tag:

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

If the line is commented out or cannot be found, then your Apache Tomcat application is not vulnerable. If the line exists and is not commented out, then your Apache Tomcat application is vulnerable. Comment out the line as shown below. Save the file and restart your App Service.

<!– <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ /> –>

We encourage customers to update their Apache Tomcat versions using the Azure Portal or CLI when the patched versions are available. The patched versions will be available in May.

Azure Kubernetes Service, Container Instances, Webapps for Containers, and Virtual Machines

By default, the AJP connector is enabled on all Apache Tomcat versions. You should immediately update your Apache Tomcat installation to the latest patch versions. The patch versions for Apache Tomcat 7, 8, and 9 are below. There is no patch provided for Apache Tomcat 6 as it reached End-of-Life in 2016

If you cannot immediately update your Apache Tomcat version, follow these instructions to mitigate the vulnerability.

Connect to your VM or container via SSH or a similar protocol Navigate to your Apache Tomcat’s server.xml file. This is usally under $TOMCAT_HOME/conf Find the XML tag that enables the AJP connector. The default value is below:

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

Delete or comment this line Save server.xml Restart Apache Tomcat

Spring Boot Users

The default embedded web server for Spring Boot is Apache Tomcat. By default, Spring Boot does not declare an AJP connector. Your Spring Boot applications are not vulnerable unless you explicitly enabled the AJP connector in your configuration

More Information