Skip to main content
Skip table of contents

Modify product configurations to avoid Tomcat vulnerability Ghostcat

This article describes how to modify the configuration of Nexus' products to solve the issue with the Tomcat vulnerability called Ghostcat.  

Issue: CVE-2020-1938 Tomcat vulnerability “Ghostcat”

A critical Tomcat vulnerability was identified with a CVSS-v3-Score of 9.8 of possible 10. The vulnerability can be used to extract configurations and secrets from the affected servers and allows remote code execution. The blind spot here is the Tomcat AJP port, by default on port 8009, which allows unauthenticated access to all Tomcat files. 

Affected products

The following Nexus products are affected:

  • Prime: Customers can apply either of the three mentioned solutions below.

  • Certificate Manager Protocol Gateway: Customers can apply either of the three mentioned solutions below.

  • ESign:

    • Version 2.x: AJP port is required, therefore the Tomcat update is recommended.

    • Version 3.x: Not affected

Load balancers or reverse proxies using the AJP port need to support the configuration of AJP secrets when updating to the new version.

Solutions

In general there are three possible counter-measures:

  • Disable the AJP port in the Tomcat server.xml if not used

  • Update to a fixed Tomcat version (see Update paths below). This might bring compatibility issues with related load balancers or reverse proxies in case they use AJP, due to the enhanced security requirements with the AJP protocol (see link to AJP configuration).

  • Restrict access to the AJP port by firewall rules to related LBs or reverse proxies (solution for services not compatible to the AJP changes).

Update paths

To do a Tomcat update, follow these paths: 

  • Tomcat 7 and older -> Tomcat 7.0.100

  • Tomcat 8 /8.5 -> Tomcat 8.5.51

  • Tomcat 9 -> Tomcat 9.0.31

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.