Hi, recently a new Tomcat vulnerability called "ghostcat" came to light and affects almost all tomcat releases, and because of that all dspace installations.
According to https://access.redhat.com/solutions/4851251 "The AJP protocol is enabled by default, with the AJP connector listening in TCP port 8009 and bound to IP address 0.0.0.0. A remote, unauthenticated/untrusted attacker could exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients. In instances where a poorly configured server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types to gain remote code execution (RCE).". In short: tomcat AJP connector may allow unwanted access to files and remote code execution (in particular scenarios) and it is exposed by default in most tomcat servers. The bug was fixed in Apache Tomcat 9.0.31, 8.5.51, and 7.0.100, but if you can't upgrade or if does not exist an upgrade for your tomcat version, you can try at least some quick fixes: 1) disable AJP connector in server.xml (if you don't use a reverse proxy) <!-- <Connector protocol="AJP/1.3" port="8009" ... /> --> 2) Bind AJP connector to localhost interface so it can only be accessed from the same host, or the one used by your reverse proxy: <Connector protocol="AJP/1.3" port="8009" address="localhost" .../> 3) filter/reject incoming traffic to port 8009 coming from the internet. Any correction or additional fixes are welcome. Regards. -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/8f5612ca-2e7b-49ec-a2b8-3f8d9f128642%40googlegroups.com.
