James,
On 4/5/21 14:58, James H. H. Lampert wrote:
We've just gotten a complaint about a vulnerability involving AJP (to
something called "Ghostcat") from a customer. The report from the
security consultant recommends updating to a more recent version of
Tomcat, and I note that we've already started rolling out 7.0.108 to
customers.
Looking at server.xml, the only reference to AJP is in relation to port
8009, and that this connector is commented out in 108, but not in 93.
So what exactly *is* this connector, and what purpose does it serve?
If you are not running a reverse-proxy in front of Tomcat, then it does
absolutely nothing for you.
If you *are* running a reverse-proxy in front of Tomcat, then it *may*
do something for you, depending upon what software you are using and
what its configuration is.
IMHO, it's time for AJP to go. [1]
(This is another reminder to me to get off my butt and post all the
presentations from ApacheCon @Home to the "Presentations" page.)
-chris
[1] https://www.youtube.com/watch?v=qUjUEvGFstI
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
