Mass scanning activity of Apache Tomcat servers that have not been patched from the Ghostcat vulnerability has been detected.

Subscribe
Notify of
guest
1 Expert Comment
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
Craig Young
Craig Young , Principal Security Researcher
InfoSec Expert
March 4, 2020 10:26 am

This is an interesting situation because Apache JServ Protocol (AJP) connections should absolutely never be exposed to untrusted users in the first place. With Ghostcat, we have concrete proof of yet another reason why the Tomcat install documentation encourages disabling of the AJP service on production systems. By specifying one path in the request URL and another in the extended request attributes, the ghostcat request exploits the fact that AJP gives remote attackers relatively low-level access to Tomcat’s HTTP internal implementation.

Last edited 2 years ago by Craig Young
1
0
Would love your thoughts, please comment.x
()
x