Tomcat and Qualsys QID: 87413

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Tomcat and Qualsys QID: 87413

jonmcalexander
I hate bringing up old crap, but I just want to make sure I have everything covered on my end. As far as this QID, the dreaded Ghost Cat, and AJP, is there ANY special AJP configuration that should be done to make sure that this QID is mitigated for Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations?

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]<mailto:[hidden email]>


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat and Qualsys QID: 87413

markt
On 18/05/2020 21:45, [hidden email] wrote:
> I hate bringing up old crap, but I just want to make sure I have everything covered on my end. As far as this QID, the dreaded Ghost Cat, and AJP, is there ANY special AJP configuration that should be done to make sure that this QID is mitigated for Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations?

It depends. There are too many variables. A configuration that would be
considered secure in one scenario may be considered insecure in another.

If you show us your AJP configuration (passwords, if any, masked) we can
figure out what questions to ask next.

Mark


>
> Thanks,
>
>
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Asst Vice President
>
> Middleware Product Engineering
> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
>
> [hidden email]<mailto:[hidden email]>
>
>
> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Tomcat and Qualsys QID: 87413

jonmcalexander
-----Original Message-----
From: Mark Thomas <[hidden email]>
Sent: Monday, May 18, 2020 5:29 PM
To: [hidden email]
Subject: Re: Tomcat and Qualsys QID: 87413

On 18/05/2020 21:45, [hidden email] wrote:
> I hate bringing up old crap, but I just want to make sure I have everything covered on my end. As far as this QID, the dreaded Ghost Cat, and AJP, is there ANY special AJP configuration that should be done to make sure that this QID is mitigated for Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations?

<It depends. There are too many variables. A configuration that would be considered secure in one scenario may be considered insecure in another.

>If you show us your AJP configuration (passwords, if any, masked) we can figure out what questions to ask next.

>Mark

Thanks Mark.

I'm not looking for anything specific, but more generic. I'm one of the guys that gets all the escalated support questions in the company in regards to anything Tomcat. This includes all these QID's, etc.. I just wanted some "best practice" information that I can dispense as potential ways for folks who need AJP to be able to resolve the QID vulnerability in their systems.

Thanks,


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

[hidden email]


This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Tomcat and Qualsys QID: 87413

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jon,

On 5/18/20 18:37, [hidden email] wrote:

> -----Original Message----- From: Mark Thomas <[hidden email]>
> Sent: Monday, May 18, 2020 5:29 PM To: [hidden email]
> Subject: Re: Tomcat and Qualsys QID: 87413
>
> On 18/05/2020 21:45, [hidden email] wrote:
>> I hate bringing up old crap, but I just want to make sure I have
>> everything covered on my end. As far as this QID, the dreaded
>> Ghost Cat, and AJP, is there ANY special AJP configuration that
>> should be done to make sure that this QID is mitigated for
>> Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations?
>
> <It depends. There are too many variables. A configuration that
> would be considered secure in one scenario may be considered
> insecure in another.
>
>> If you show us your AJP configuration (passwords, if any,
>> masked) we can figure out what questions to ask next.
>
>> Mark
>
> Thanks Mark.
>
> I'm not looking for anything specific, but more generic. I'm one of
> the guys that gets all the escalated support questions in the
> company in regards to anything Tomcat. This includes all these
> QID's, etc.. I just wanted some "best practice" information that I
> can dispense as potential ways for folks who need AJP to be able
> to resolve the QID vulnerability in their systems.
Generally, the advice is "secure your endpoints." If you aare already
protecting your endpoints -- whether they are HTTP or AJP -- then all
is well. If you are not currently using an AJP "secret" and you feel
like your endpoints are secure (as I do, since I use
client-authenticated stunnel for all AJP connections), then you can
set secretRequired="false" and be ready for an upgrade.

If nobody has ever taken a look at the security of their AJP
endpoints, maybe now is a good time to do that.

Remember:

1. AJP is not encrypted
2. AJP is not authenticated
3. Tomcat by default trusts information sent via AJP moreso than via
HTTP

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7GwXwACgkQHPApP6U8
pFg/fA//U/c1pVWqp74TaJs66NxW4b2xwGtJxXof6ISB69GBDJnYlpONAKMmgkzu
AmF+9AWl3P7K1sN+eQbMtV6qepJCZvsfC8owrOBOXHuAyXcMFZVAxavHhfOqTYqn
/QOGC4VsWTgih9I86Hka39PP6GHljx6U0gfkKRthZe6iGV3b6q2Xnc9y0Lzg15Hh
qJ2Sr3vU22hSyl6ngTp7mKQeiN6VNWNQHJVEFRX4xnz8duPwr8w6YHUNcx2Xv4LC
aKHp6FhfWHN5LfYlCWZ/iPr76EFus+F1rwq5LHQuVUFS4dydkpDW0VUTLE0+O319
PFqpKO9mRFy/IHiFLr8G8kIExTbEA0M5BuHClpSrc6a+U7QlJmyCXmVs5zu2ojSO
8FjiCpl9AFstqQzJ7CKCVZDWEL+jB4AFSvpv7ZuOjZVll77MshLb/994wHIb2qr2
CzzEXaKns3jUO8ZhVrHo0r7alsPwtN29BT5sHHeduWJZ+cb4pfg76u1DLSsDxJiz
UkZq2zWwhwf22ent7apYtCCV5cF95hXYmSV32PRfWP4NMIK3RKk7I3iNK25s5Pwu
bV2SDLLy+e6E/mSokrzlbBbwEk1jZp39Qn1loZMfO5OaD/u4ZB9l+noLdDRPbqT9
VqL6rTBHYxMiXL44QvKZeb3NHLZVSTs8seo9aKIBWF2iHyaikFc=
=x/4C
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]