• Welcome to KonaKart Community Forum. Please login or sign up.
 

Ghostcat vulnerability

Started by smudge, April 03, 2020, 02:24:44 pm

Previous topic - Next topic

smudge

I read about the Ghostcat vulnerability - the subject of CVE-2020-1938

Is KonaKart vulnerable to that?

Brian

You need to take steps to ensure your installation of tomcat is not exposed to this vulnerability.

First of all, not all installations need the AJP Connector to be enabled.  If you don't need it... simply comment out the Connector in your tomcat's server.xml (you'll find that in the installation's conf directory).

The AJP connector is often used for communication between an Apache Web Server and Tomcat.   

If you use the AJP connector you must ensure that your firewall is configured to protect the AJP listening port from all locations that don't need access to it.  You should ensure your AJP port is not accessible from external IP addresses.

Note that not all versions of tomcat are affected.

It is certainly recommended that you upgrade to a version of Tomcat that has the fix.  Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later resolve the problem.