Scanning For Ghostcat – Expert Reaction

By   ISBuzz Staff
Editorial Team , Information Security Buzz | Mar 04, 2020 02:22 am PST

Mass scanning activity of Apache Tomcat servers that have not been patched from the Ghostcat vulnerability has been detected.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
March 4, 2020 10:26 am

This is an interesting situation because Apache JServ Protocol (AJP) connections should absolutely never be exposed to untrusted users in the first place. With Ghostcat, we have concrete proof of yet another reason why the Tomcat install documentation encourages disabling of the AJP service on production systems. By specifying one path in the request URL and another in the extended request attributes, the ghostcat request exploits the fact that AJP gives remote attackers relatively low-level access to Tomcat’s HTTP internal implementation.

Last edited 3 years ago by Craig Young

Recent Posts

Would love your thoughts, please comment.x