Project

Contents

Issue #00005506

Updated tomcat from 7.0.90 to 7.0.100
Feature/Improvement

This update especially solve the "Ghostcat" vulnerability (see https://www.chaitin.cn/en/ghostcat)

The problem in ghostcat lies in the AJP-connector. In Tomcat 7.0.100 therefore the allowed IP for AJP is localhost. This is confiugred in server.xml like this:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector protocol="AJP/1.3"
           address="::1"
           port="8009"
           secretRequired="false"
           redirectPort="8443" />

If you run OpenWGA in a cluster environment you probably have to change this address restriction to the IPs of the cluster nodes or completely remove the address restriction (like before in tomcat 7.0.90). We advice to ensure the firewall blocks the AJP port (normally 8009) for public access.