Mass scanning activity of Apache Tomcat servers that have not been patched from the Ghostcat vulnerability has been detected.

Experts Comments

March 04, 2020
Craig Young
Principal Security Researcher
Tripwire
This is an interesting situation because Apache JServ Protocol (AJP) connections should absolutely never be exposed to untrusted users in the first place. With Ghostcat, we have concrete proof of yet another reason why the Tomcat install documentation encourages disabling of the AJP service on production systems. By specifying one path in the request URL and another in the extended request attributes, the ghostcat request exploits the fact that AJP gives remote attackers relatively low-level.....Read More
This is an interesting situation because Apache JServ Protocol (AJP) connections should absolutely never be exposed to untrusted users in the first place. With Ghostcat, we have concrete proof of yet another reason why the Tomcat install documentation encourages disabling of the AJP service on production systems. By specifying one path in the request URL and another in the extended request attributes, the ghostcat request exploits the fact that AJP gives remote attackers relatively low-level access to Tomcat’s HTTP internal implementation.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.