{"id":227378,"date":"2020-03-10T12:47:14","date_gmt":"2020-03-10T19:47:14","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/java\/?p=227378"},"modified":"2020-03-11T13:11:17","modified_gmt":"2020-03-11T20:11:17","slug":"addressing-ghostcat-on-azure","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/java\/addressing-ghostcat-on-azure\/","title":{"rendered":"Addressing the Apache Tomcat “Ghostcat” vulnerability on Azure"},"content":{"rendered":"

A security vulnerability, Ghostcat<\/a>, was announced on Friday, February 28th<\/sup> affecting all Apache Tomcat versions. Ghostcat exploits the Apache Jserv Protocol connector to read and write files to a Apache Tomcat server. The Apache Tomcat security release<\/a> states \u201c[the] mitigation is only required if an AJP port is accessible to untrusted users.\u201d Please follow the instructions below to assess and address your vulnerability.<\/p>\n

App Service<\/h3>\n

The AJP connector is disabled on all Apache Tomcat installations on both App Service Linux and Windows. If you have not edited the server.xml, then your Apache Tomcat application is not vulnerable.<\/p>\n

If you have edited your server.xml, follow these instructions to address your vulnerability:<\/p>\n

    \n
  1. Search your server.xml for the following XML tag:<\/li>\n<\/ol>\n

    <Connector port=”8009″ protocol=”AJP\/1.3″ redirectPort=”8443″ \/><\/span><\/p>\n

      \n
    1. If the line is commented out or cannot be found, then your Apache Tomcat application is not vulnerable.<\/li>\n
    2. If the line exists and is not commented out, then your Apache Tomcat application is vulnerable. Comment out the line as shown below. Save the file and restart your App Service.<\/li>\n<\/ol>\n

      <!– <Connector port=”8009″ protocol=”AJP\/1.3″ redirectPort=”8443″ \/> –><\/span><\/p>\n

      We encourage customers to update their Apache Tomcat versions using the Azure Portal or CLI when the patched versions are available. The patched versions will be available in May.<\/p>\n

      Azure Kubernetes Service, Container Instances, Webapps for Containers, and Virtual Machines<\/h3>\n

      By default, the AJP connector is enabled on all Apache Tomcat versions. You should immediately update your Apache Tomcat installation to the latest patch versions. The patch versions for Apache Tomcat 7, 8, and 9 are below. There is no patch provided for Apache Tomcat 6 as it reached End-of-Life in 2016<\/p>\n