Apache Tomcat Security Advisory: CVE-2020-1938 (Ghostcat, AJP Connector changes)

General Information

Apache Tomcat has recently released new versions to fix a vulnerability tracked as CVE-2020-1938 (also referred as "Ghostcat").

Affected Software

  • Apache Tomcat 7.0.0 to 7.0.99
  • Apache Tomcat 8.5.0 to 8.5.50
  • Apache Tomcat 9.0.0.M1 to 9.0.30


Liferay recommends customers using any of the affected versions to read the referenced articles below and apply one of the following mitigations:

  • Upgrade to Apache Tomcat 9.0.31 or later.
  • Upgrade to Apache Tomcat 8.5.51 or later.
  • Upgrade to Apache Tomcat 7.0.100 or later.

Mitigation Notes

Please note the followings:

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to these versions, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.
It is important to note that mitigation is only required if an AJP port is accessible to untrusted users.
It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Additional Information

Future Service Pack releases for Liferay DXP will be bundled with a newer Tomcat version where this vulnerability is already fixed.

References and Recommended Articles

Was this article helpful?
2 out of 2 found this helpful