How to secure tomcat against ghostcat
First of all let's see what this bug is really about:
The bug allows a hacker to exploit the ajp module within the tomcat and run/execute remote code on the server.
This is a huge vulnerability especially if the tomcat service is running under root user. This would allow a hacker complete control over the server.
In order to mitigate this tomcat has issued a minor patched version for all its major versions.
With this new patch, there are some configuration changes on both tomcat side and apache side.
Please make sure to upgrade it and configure the ajp connector as follows:
- ajp connector requires secret
in tomcat:
<Connector protocol="AJP/1.3" address="0.0.0.0" port="8009" secret="changeme" redirectPort="8443" /> - in apache we have 2 changes that are required.
- 1 in the modjk that configured with worker as follows: /etc/httpd/conf.d/workers.properties
worker.list=stats,node1
worker.node1.type=ajp13
worker.node1.host=localhost
worker.node1.port=8009
worker.node1.secret=changeme
-
- and 1 in httpd.conf
JkMount /myapp node1
JkMount /myapp/* node1
JkMount /servlet/* node1
JkMount /*.jsp node1
JkMount /* node1
Also tomcat8 will start slower due to a secure random hash generation at startup. This new feature was implemented with the latest version.
It may add 2-3 minutes to the startup time because of that
WARNING: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [235,228] milliseconds.
The following error can be seen in the tomcat logs if the secret is not configured correctly or not configured at all in the tomcat/apache config:
| Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
