How to mitigate the Apache Tomcat Ghostcat vulnerability in CVE-2020-1938

  • 7024548
  • 08-Apr-2020
  • 10-Apr-2020

Environment

Host Access Management and Security Server (MSS) 12.6.3 and earlier
Host Access for the Cloud (Reflection ZFE) 2.4.3 and earlier
Reflection for the Web 13.0 Hotfix 4 and earlier

Situation

The following instructions contain information on how to mitigate the Ghostcat vulnerability in Host Access Management and Security Server (MSS).

From NIST: “When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.” For further details, see https://nvd.nist.gov/vuln/detail/CVE-2020-1938.

Resolution

IIS not required

If IIS integration is not used, then the ports that listen for this communication can be disabled. This can be done by editing the container.properties file for the MSS Server. On Windows, the default location for the container.properties file is the C:\Program Files\Micro Focus\MSS\server\conf directory. On UNIX, it is in the /opt/microfocus/mss/server/conf directory.


  1. Open the container.properties file with an editor that has administrator privileges.
  2. Look for and comment out the servletengine.ajpPorts line

    Example:

    servletengine.ajpPorts=8001,8002
    to:
    #servletengine.ajpPorts=8001,8002


  3. Save the changes to the container.properties file.
  4. Restart the Micro Focus MSS Server Service for the changes to take effect.
  5. Once the Micro Focus MSS Server Service is fully started, verify the change by running netstat -a at the command line to ensure that the ports 8001 and 8002 no longer display.

If IIS is required, change the AJP ports to listen on the localhost interface

To change MSS so the AJP ports listen on the localhost interface, the server.xml file must be edited. On Windows, server.xml is in the C:\Program Files\Micro Focus\MSS\server\web directory. On UNIX, it is in the /opt/microfocus/mss/server/web directory.


  1. Open the server.xml file with an editor that has administrator privileges.
  2. Look for the heading of <Service name="Catalina"> and add the following lines below the service.name

    <Connector port="8001" address="127.0.0.1" protocol="AJP/1.3" secure="false" tomcatAuthentication="false" secretRequired="false"/>
    <Connector port="8002" address="127.0.0.1" protocol="AJP/1.3" secure="false" tomcatAuthentication="false" secretRequired="false"/>

  3. Save the changes to the server.xml.
  4. Restart the Micro Focus MSS Server Service for the changes to take effect.

    By adding new connectors to the server.xml, MSS will configure Tomcat to open AJP ports on the local address 127.0.0.1. Since the address is local, MSS would no longer be vulnerable to remote attacks.

    Key parameters:

    secure="false" - disables TLS, which is not required since TLS if needed would be handled by IIS.
    tomcatAuthentication="false" disables Tomcat authentication, which is not required since IIS performs http authentication if needed.
    secretRequired="false" disables secrets on the AJP ports. A secret is a password between IIS and Tomcat. Only AJP clients that have the secret would be able to talk to Tomcat's AJP ports. Since IIS and Tomcat are on the same box, there is no need for a secret.


  5. Once the Micro Focus MSS Server Service is fully started, verify the change by running netstat -a at the command line. This should show that the AJP ports are bound to the localhost address. Example:

    Proto  Local Address          Foreign Address        State
    TCP    127.0.0.1:8001         server-name:0      LISTENING
    TCP    127.0.0.1:8002         server-name:0      LISTENING


Firewall

An alternative to fixing the product is to block remote traffic from ports 8001 and 8002. With a firewall in place, local traffic from the local IIS would be able to access those AJP ports, but remote traffic would not.

Remote IIS

In releases prior to MSS 12.6 SP1, it was possible to configure MSS to be integrated with a remote IIS server. Such a configuration is not officially supported. The IIS Integration Utility provided by MSS supports only local IIS integrations, but a remote configuration could be set up manually without the utility.

If a remote IIS connection was manually configured, then it should be possible to edit the server.xml file to listen on public ports and to establish a secret. On Windows, server.xml is in the C:\Program Files\Micro Focus\MSS\server\web directory. On UNIX, it is in the /opt/microfocus/mss/server/web directory.


  1. Open the server.xml file with an editor that has administrator privileges.
  2. Look for the heading of <Service name="Catalina"> and add the following lines below the service.name

    <Connector port="8001" address="0.0.0.0" protocol="AJP/1.3" secure="false" tomcatAuthentication="false" secretRequired="true" secret="changeit"/>

    <Connector port="8002" address="0.0.0.0" protocol="AJP/1.3" secure="false" tomcatAuthentication="false" secretRequired="true" secret="changeit"/>


  3. Edit the secret password shared between IIS and MSS. Be sure to change "changeit" to something less obvious.
  4. Save the changes to the server.xml.
  5. Restart the Micro Focus MSS Server Service for the changes to take effect.

    Key parameters:

    address="0.0.0.0" - listen on all addresses. If the MSS box has multiple NICS, then listening on only the required network interface would be more secure than listening on everything.
    secretRequired="true" - MSS's Tomcat AJP ports will reject communication from AJP clients that don't have the secret
    secret="changeit" - The secret password shared between IIS and MSS. Be sure to change "changeit" to something less obvious

  6. On the IIS machine, IIS integration should be configured via an ISAPI filter. The filter configuration should reference a workers.properties file that looks something like:

    # Defining a worker named ajp13 and of type ajp13
    # Note that the name and the type do not have to match.

    worker.ajp13_worker.port=8001
    worker.ajp13_worker.host=my_mss_server
    worker.ajp13.worker.secret=changeit
    worker.ajp13_worker.type=ajp13


    Key parameters:
    worker.ajp13_worker.host - the hostname of the MSS server
    worker.ajp13.worker.secret - the secret that MSS's Tomcat AJP ports are configured with. Be sure to change "changeit" to something less obvious

Status

Security Alert

Additional Information