If you deploy Apache’s Tomcat separately to support your ArcGIS platform deployment, please take two minutes to read this summary concerning a critical vulnerability spanning 13 years of Tomcat versions using the default install. While Esri embeds Tomcat within some of its products, we disable the Apache JServ Protocol (AJP) connector, so deploying our products does not expose you to the GhostCat vulnerability.
If our products are not vulnerable, why provide an announcement? First, the GhostCat vulnerability (CVE-2020-1938) is in the media and customers want to know if their ArcGIS deployment is vulnerable. Secondly, some customers choose to deploy Apache Tomcat separately with our products, such as in conjunction with the ArcGIS Java Web Adaptor, or together with Apache as a reverse proxy. If your organization utilizes either of these configurations, we strongly recommend you validate if the AJP connector is enabled (the default vulnerable Tomcat configuration).
Verification: You can validate if the AJP connector is disabled for your Tomcat deployment by opening the <Tomcat>/conf/server.xml file and seeing if the connector has been commented out similar to the below:
<!– <Connector port = “8009” protocol = “AJP / 1.x” redirectPort = “8443” /> –>
Mitigation: If the Tomcat AJP connector is not disabled, and you are utilizing our Web Adaptor, feel free to comment out the connector to disable it right away. Of course, even better would be to upgrade to the latest version of Tomcat which fixes the vulnerability and switches to disabling AJP by default. Note that JBoss is also affected, but is significantly less common.
This issue serves as a great reminder of the importance of security hardening your deployment, we include some tools to help with this when using our products, but ensure you also harden additional 3rd party components you add. A brief write-up concerning hardening Tomcat 8 is here – notice the final step – minimize connectors – for most customers that will be done by disabling AJP…
Additional info about GhostCat may be found here. We will update this article if/as necessary.
- Esri’s Software Security & Privacy Team