[midPoint] Security Advisory: Ghostcat Vulnerability of Apache Tomcat
Radovan Semancik
radovan.semancik at evolveum.com
Mon Mar 2 13:21:05 CET 2020
Date: 2 March 2019
Severity: Informational
Affected versions: all released midPoint versions
Fixed in versions: N/A
Description
Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to
several types of attack.
Severity and Impact
This vulnerability does not affect midPoint application per se. However,
it may impact deployment that are not using the stand-alone deployment
model. Such deployment may use Apache Tomcat servers that may be
vulnerable to Ghostcat attacks.
Mitigation
Mitigation depends on the deployment model:
* Stand-alone deployment of midPoint (default): no need to mitigate.
Stand-alone midPoint deployment is not vulnerable to Ghostcat as AJP
connector is not enabled in the embedded Tomcat instance.
* Explicit deployment of midPoint (WAR file): disable or secure AJP
connector in your Apache Tomcat instance.
See Also
* CVE-2020-1938
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>
*
https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+Ghostcat+Vulnerability+of+Apache+Tomcat
--
Radovan Semancik
Software Architect
evolveum.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20200302/576e182d/attachment.htm>
More information about the midPoint
mailing list