Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
An attacker can only connect to these vulnerable versions of the Apache Tomcat server if the AJP port is open to external traffic. Attackers of any skill level can read a file from the application server, but a skilled attacker can perform a more sophisticated remote code execution (RCE) attack by recognizing an application that supports file uploads. A file read does not adversely affect the network but this activity can indicate that an attacker is preparing to escalate the attack, which can pose a significant threat to the network.
Kill Chain
Risk Score
88
Apache Tomcat is a Java servlet container that enables you to run Java applications on your web server over the Apache JServe Protocol (AJP). The Ghostcat vulnerability targets versions of Tomcat where the AJP port is enabled by default. Attackers can directly interact with Tomcat through the open port to retrieve configuration files, API tokens, and other data. If the targeted application accepts and stores JSP files, an attacker can even upload a file to perform remote code execution (RCE).
Upgrade Apache Tomcat to 7.0.100, 8.5.51, 9.0.31, or later
Configure firewalls to limit access to the AJP ports
Require AJP authentication by configuring the requiredSecret attribute on the Tomcat server
Disable the AJP port by commenting out <Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ /> in the Tomcat /conf/server.xml file
