Security Advisory: Ghostcat Vulnerability of Apache Tomcat

Last modified 09 Feb 2024 14:12 +01:00

Date: 2 March 2020

Severity: Informational

Affected versions: all released midPoint versions

Fixed in versions: N/A


Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to several types of attack.

Severity and Impact

This vulnerability does not affect midPoint application per se. However, it may impact deployment that are not using the stand-alone deployment model. Such deployment may use Apache Tomcat servers that may be vulnerable to Ghostcat attacks.


Mitigation depends on the deployment model:

  • Stand-alone deployment of midPoint (default): no need to mitigate. Stand-alone midPoint deployment is not vulnerable to Ghostcat as AJP connector is not enabled in the embedded Tomcat instance.

  • Explicit deployment of midPoint (WAR file): disable or secure AJP connector in your Apache Tomcat instance.

See Also

Was this page helpful?
Thanks for your feedback