A critical Tomcat vulnerability was identified with a CVSS-v3-Score of 9.8 of possible 10. The vulnerability can be used to extract configurations and secrets from the affected servers and allows remote code execution. The blind spot here is the Tomcat AJP port, by default on port 8009, which allows unauthenticated access to all Tomcat files.
The following Nexus products are affected:
Prime: Customers can apply either of the three mentioned solutions below.
Certificate Manager Protocol Gateway: Customers can apply either of the three mentioned solutions below.
Version 2.x: AJP port is required, therefore the Tomcat update is recommended.
Version 3.x: Not affected
Load balancers or reverse proxies using the AJP port need to support the configuration of AJP secrets when updating to the new version.
In general there are three possible counter-measures:
Disable the AJP port in the Tomcat server.xml if not used
Update to a fixed Tomcat version (see Update paths below). This might bring compatibility issues with related load balancers or reverse proxies in case they use AJP, due to the enhanced security requirements with the AJP protocol (see link to AJP configuration).
Restrict access to the AJP port by firewall rules to related LBs or reverse proxies (solution for services not compatible to the AJP changes).