Critical Security Exploit "Ghostcat" in Apache Tomcat
VISUS IT security staff constantly evaluates whether known security breaches of third-party providers are relevant for the operation of JiveX and whether appropriate measures should be recommended or initiated.
Configuration Adjustment and Update of the Apache Tomcat Server
In the course of these evaluations we would like to point out a security issue of the "Apache Tomcat Server". The exploit named "Ghostcat" is reported as CVE-2020-1938. This exploit may allow attackers to gain access to data within the web applications and possibly execute malicious code. A detailed description of the issue can be found here.
All web-based JiveX clients using the "Apache Tomcat Server" as web server are affected by this issue if AJP Connect is enabled. An increased risk exists for installations in the demilitarized zone (DMZ). We recommend the following measures to address this issue:
Either: Disable the AJP Connect Port
The AJP port can be disabled by modifying the Apache Tomcat configuration. For this purpose the corresponding section in the configuration file "[jivexhtml installation directory]\tomcat9\conf\server.xml" must be removed.
<Connector
port="8009"
protocol="AJP/1.3"
redirectPort="443"
/>
Alternative: Update of the Apache Tomcat Server
Starting with JiveX 5.1.0, Apache Tomcat updates can be performed independently. Please note that all Apache Tomcat versions up to 9.0 including patches have been tested and cleared for use with all web-based clients. With the current Apache Tomcat version 9.0.31 the described issue is resolved.
The JiveX major version 5.2.0, available since 16 March 2020, automatically installs Apache Tomcat version 9.0.31. Please verify if you are affected by this issue. Our support will gladly assist you.
Are you Interested in Updating to the New Version 5.2.0?
Our Update Service is looking forward to hearing from you.