Security Advisory: Ghostcat Vulnerability of Apache Tomcat

Last modified 23 Mar 2021 17:18 +01:00

Date: 2 March 2020

Severity: Informational

Affected versions: all released midPoint versions

Fixed in versions: N/A

Description

Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to several types of attack.

Severity and Impact

This vulnerability does not affect midPoint application per se. However, it may impact deployment that are not using the stand-alone deployment model. Such deployment may use Apache Tomcat servers that may be vulnerable to Ghostcat attacks.

Mitigation

Mitigation depends on the deployment model:

  • Stand-alone deployment of midPoint (default): no need to mitigate. Stand-alone midPoint deployment is not vulnerable to Ghostcat as AJP connector is not enabled in the embedded Tomcat instance.

  • Explicit deployment of midPoint (WAR file): disable or secure AJP connector in your Apache Tomcat instance.

See Also