Re: [thredds] Tomcat Ghostcat Vulnerability

  • To: Nathan Potter <ndp@xxxxxxxxxxx>
  • Subject: Re: [thredds] Tomcat Ghostcat Vulnerability
  • From: Sean Arms <sarms@xxxxxxxx>
  • Date: Tue, 17 Mar 2020 17:20:03 -0600
Greetings all,

Sorry for the delay. Thank you for your pointers regarding AJP, Nathan!

Occasionally we post things to the list regarding tomcat (end of life
announcements, for example), but we strongly encourage those who run a
TDS to subscribe directly to the security list associated with the
servlet container (and front-end web server, if applicable) they run
on their systems. For tomcat, that'd be tomcat-announce
(http://tomcat.apache.org/lists.html#tomcat-announce),  for jetty it'd
be jetty-announce
(https://accounts.eclipse.org/mailing-list/jetty-announce), for JBoss
it'd be jboss-security-notifications
(https://lists.jboss.org/mailman/listinfo/jboss-security-notifications),
etc. In addition, if a front-end web-server is used, such as Apache,
Nginx, etc., we recommend subscribing directly to those lists as well.

Cheers,

Sean

On Mon, Mar 9, 2020 at 10:00 PM Nathan Potter <ndp@xxxxxxxxxxx> wrote:
>
> Hi Roy,
>
> In general a best practice deployment of Tomcat with an AJP connection 
> established should limit that connection to specific host over SSL.
>
> For example:
>
>     <Connector
>         port="8009"
>         protocol="AJP/1.3"
>         redirectPort="443"
>         scheme="https"
>         address="127.0.0.1"
>         enableLookups="false"
>         tomcatAuthentication="false"
>         />
>
> Has been our practice for some time.
>
> It makes the AJP endpoint much more difficult to access unless the intruder 
> has already compromised your host, in which case things are already horrible.
>
> I don't think this practice is something in lieu of the patches you posted, 
> rather even patched  a publicly accessible system the AJP connection should 
> be clamped down in a similar manner.
>
> Nathan
>
> > On Mar 9, 2020, at 8:51 PM, Roy Mendelssohn - NOAA Federal via thredds 
> > <thredds@xxxxxxxxxxxxxxxx> wrote:
> >
> > I am surprised this hasn't hit this list already:
> >
> > "Ghostcat" is a new security vulnerability in Tomcat's AJP Connector that 
> > potentially allows attackers to take over the server. You can read more 
> > about the problem at
> >       • 
> > https://www.bleepingcomputer.com/news/security/active-scans-for-apache-tomcat-ghostcat-vulnerability-detected-patch-now/
> >       • 
> > https://www.esri.com/arcgis-blog/products/arcgis-online/administration/dont-get-bitten-by-ghostcat-tomcat-vulnerability/
> >       • 
> > https://securityboulevard.com/2020/02/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and/
> >       • https://nvd.nist.gov/vuln/detail/CVE-2020-1938
> >
> > Updates are available for the recent versions of Tomcat to fix this.  We 
> > have updated 2 TDS to Tomcat 8: 8.5.51 with no issues that I can see,  but 
> > ten again we aren't using AJP.
> >
> > -Roy
> >
> > **********************
> > "The contents of this message do not reflect any position of the U.S. 
> > Government or NOAA."
> > **********************
> > Roy Mendelssohn
> > Supervisory Operations Research Analyst
> > NOAA/NMFS
> > Environmental Research Division
> > Southwest Fisheries Science Center
> > ***Note new street address***
> > 110 McAllister Way
> > Santa Cruz, CA 95060
> > Phone: (831)-420-3666
> > Fax: (831) 420-3980
> > e-mail: Roy.Mendelssohn@xxxxxxxx www: https://www.pfeg.noaa.gov/
> >
> > "Old age and treachery will overcome youth and skill."
> > "From those who have been given much, much will be expected"
> > "the arc of the moral universe is long, but it bends toward justice" -MLK 
> > Jr.
> >
> > _______________________________________________
> > NOTE: All exchanges posted to Unidata maintained email lists are
> > recorded in the Unidata inquiry tracking system and made publicly
> > available through the web.  Users who post to any of the lists we
> > maintain are reminded to remove any personal information that they
> > do not want to be made public.
> >
> >
> > thredds mailing list
> > thredds@xxxxxxxxxxxxxxxx
> > For list information or to unsubscribe,  visit: 
> > https://www.unidata.ucar.edu/mailing_lists/
>
> = = =
> Nathan Potter                        ndp at opendap.org
> OPeNDAP, Inc.                        +1.541.231.3317
>
> _______________________________________________
> NOTE: All exchanges posted to Unidata maintained email lists are
> recorded in the Unidata inquiry tracking system and made publicly
> available through the web.  Users who post to any of the lists we
> maintain are reminded to remove any personal information that they
> do not want to be made public.
>
>
> thredds mailing list
> thredds@xxxxxxxxxxxxxxxx
> For list information or to unsubscribe,  visit: 
> https://www.unidata.ucar.edu/mailing_lists/


  • 2020 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: