Modify product configurations to avoid Tomcat vulnerability Ghostcat
This article describes how to modify the configuration of Nexus' products to solve the issue with the Tomcat vulnerability called Ghostcat.
Issue: CVE-2020-1938 Tomcat vulnerability “Ghostcat”
A critical Tomcat vulnerability was identified with a CVSS-v3-Score of 9.8 of possible 10. The vulnerability can be used to extract configurations and secrets from the affected servers and allows remote code execution. The blind spot here is the Tomcat AJP port, by default on port 8009, which allows unauthenticated access to all Tomcat files.
Affected products
The following Nexus products are affected:
Prime: Customers can apply either of the three mentioned solutions below.
Certificate Manager Protocol Gateway: Customers can apply either of the three mentioned solutions below.
ESign:
Version 2.x: AJP port is required, therefore the Tomcat update is recommended.
Version 3.x: Not affected
Load balancers or reverse proxies using the AJP port need to support the configuration of AJP secrets when updating to the new version.
Solutions
In general there are three possible counter-measures:
Disable the AJP port in the Tomcat server.xml if not used
Update to a fixed Tomcat version (see Update paths below). This might bring compatibility issues with related load balancers or reverse proxies in case they use AJP, due to the enhanced security requirements with the AJP protocol (see link to AJP configuration).
Restrict access to the AJP port by firewall rules to related LBs or reverse proxies (solution for services not compatible to the AJP changes).
Update paths
To do a Tomcat update, follow these paths:
Tomcat 7 and older -> Tomcat 7.0.100
Tomcat 8 /8.5 -> Tomcat 8.5.51
Tomcat 9 -> Tomcat 9.0.31
Links
Background information:
https://nvd.nist.gov/vuln/detail/CVE-2020-1938AJP configuration with secret, secretRequired: http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html