Security Advisory: Ghostcat Vulnerability of Apache Tomcat
Date: 2 March 2020
Affected versions: all released midPoint versions
Fixed in versions: N/A
Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to several types of attack.
Severity and Impact
This vulnerability does not affect midPoint application per se. However, it may impact deployment that are not using the stand-alone deployment model. Such deployment may use Apache Tomcat servers that may be vulnerable to Ghostcat attacks.
Mitigation depends on the deployment model:
Stand-alone deployment of midPoint (default): no need to mitigate. Stand-alone midPoint deployment is not vulnerable to Ghostcat as AJP connector is not enabled in the embedded Tomcat instance.
Explicit deployment of midPoint (WAR file): disable or secure AJP connector in your Apache Tomcat instance.