Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
At first glance, this seems like a very critical vulnerability - but it is not as bad as it seems.
The AJP listener is - unsurprisingly - insecure, as it is used to pass requests to (any) Java application.
This can be compared to the (FastCGI) listener of PHP-FPM, where arbitrary filenames can be passed to it.
Luckily Tomcat should only listen on localhost or access to the listener should be restricted by a firewall.
Yes, the vulnerability is bad and should be patched, but in a usual installation it shouldn't be the end of the world. -
@sbiewald
I'm just glad application containers are becoming irrelevant as frameworks themselves become edge capable. The fewer holey abstractions the better. -
@SortOfTested I disagree. While it could make deployments easier, people will make the same vulnerabilities already fixed in an application container, but now in the applications itself.
Let me use the typical path traversal vulnerability as an example: Most web servers and many frameworks had them.
But now instead of fixing them (in the application container) once, they appear again and again and again in many applications. -
@sbiewald
If you're writing that code manually and are encountering the problem across multiple applications, and improperly securing endpoints, you're probably also using something like tomcat/jboss. Solving that problem via configuration just creates a dependency on knowing that the fix is at the server level, and then patching every server. At that point you have two problems, and still need to patch the code anyways.
We can agree to disagree, ☺️ I prefer containerization and an API gateway to the standard monolith, it alleviates most of these problems at the proper level of abstraction. -
I know one company that would already be vulnerable. They're probably not upgrading their prod Tomcat until the second half of this year.
Related Rants
Apache Tomcat vulnerability "GHOSTCAT" allows read conduct files and implant web shells. All versions in the last 13 years vulnerable.
According to Security Researcher of Chaitin Tech : Due to a flaw in the Tomcat AJP protocol (the channel for Tomcat to connect to the outside, pass them to the corresponding web application for processing and return the response result of the request), an attacker can read or include any files in the webapp directories of Tomcat.
For example, An attacker can read the web-app configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through "GHOSTCAT" vulnerability.
Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
random
vulnerability
apache
security