Addressing the Apache Tomcat “Ghostcat” vulnerability on Azure

Jason Freeberg

March 10th, 20200 0

A security vulnerability, Ghostcat, was announced on Friday, February 28th affecting all Apache Tomcat versions. Ghostcat exploits the Apache Jserv Protocol connector to read and write files to a Apache Tomcat server. The Apache Tomcat security release states “[the] mitigation is only required if an AJP port is accessible to untrusted users.” Please follow the instructions below to assess and address your vulnerability.

App Service

The AJP connector is disabled on all Apache Tomcat installations on both App Service Linux and Windows. If you have not edited the server.xml, then your Apache Tomcat application is not vulnerable.

If you have edited your server.xml, follow these instructions to address your vulnerability:

  1. Search your server.xml for the following XML tag:

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

  1. If the line is commented out or cannot be found, then your Apache Tomcat application is not vulnerable.
  2. If the line exists and is not commented out, then your Apache Tomcat application is vulnerable. Comment out the line as shown below. Save the file and restart your App Service.

<!– <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ /> –>

We encourage customers to update their Apache Tomcat versions using the Azure Portal or CLI when the patched versions are available. The patched versions will be available in May.

Azure Kubernetes Service, Container Instances, Webapps for Containers, and Virtual Machines

By default, the AJP connector is enabled on all Apache Tomcat versions. You should immediately update your Apache Tomcat installation to the latest patch versions. The patch versions for Apache Tomcat 7, 8, and 9 are below. There is no patch provided for Apache Tomcat 6 as it reached End-of-Life in 2016

If you cannot immediately update your Apache Tomcat version, follow these instructions to mitigate the vulnerability.

  1. Connect to your VM or container via SSH or a similar protocol
  2. Navigate to your Apache Tomcat’s server.xml file. This is usally under $TOMCAT_HOME/conf
  3. Find the XML tag that enables the AJP connector. The default value is below:

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />

  1. Delete or comment this line
  2. Save server.xml
  3. Restart Apache Tomcat

Spring Boot Users

The default embedded web server for Spring Boot is Apache Tomcat. By default, Spring Boot does not declare an AJP connector. Your Spring Boot applications are not vulnerable unless you explicitly enabled the AJP connector in your configuration

More Information

Jason Freeberg Program Manager, Azure App Service

Read next

Java on Visual Studio Code Update – March 2020
In this update, we will show you the performance improvements just released as well as currently under development. You will see Syntax Mode, the newly polished experience for standalone Java files. We'd also like to introduce you to the newly released SonarLint extension which helps you detect code quality and security issues on the fly.
Xiaokai He
March 19, 2020
4 comments
Java on Visual Studio Code Update – April 2020
Java on VS Code April update will show you the effect of latest performance improvements, new Java 14 support and semantic highlighting. Also including how to easily create new Java class, perform rename refactoring from file explorer and preview the proposed changes.
Xiaokai He
April 30, 2020
1 comment

0 comments

Discussion is closed.

Feedback usabilla icon