{"id":756201,"date":"2020-03-03T22:33:12","date_gmt":"2020-03-04T06:33:12","guid":{"rendered":"https:\/\/www.esri.com\/arcgis-blog\/?post_type=blog&#038;p=756201"},"modified":"2022-02-16T10:46:07","modified_gmt":"2022-02-16T18:46:07","slug":"dont-get-bitten-by-ghostcat-tomcat-vulnerability","status":"publish","type":"blog","link":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability","title":{"rendered":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability"},"author":3911,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","format":"standard","meta":{"_acf_changed":false,"_searchwp_excluded":""},"categories":[37501],"tags":[24081,24071],"industry":[],"product":[36571,36551,763582],"class_list":["post-756201","blog","type-blog","status-publish","format-standard","hentry","category-administration","tag-ssamymlgp","tag-security","product-arcgis-enterprise","product-arcgis-online","product-trust-arcgis"],"acf":{"short_description":"Critical vulnerability in Tomcat could affect your ArcGIS deployment","flexible_content":[{"acf_fc_layout":"content","content":"<p>If you deploy Apache\u2019s Tomcat separately to support your ArcGIS platform deployment, please take two minutes to read this summary concerning a critical vulnerability spanning 13 years of Tomcat versions using the default install.\u00a0 While Esri embeds Tomcat within some of its products, we disable the Apache JServ Protocol (AJP) connector, so deploying our products does not expose you to the GhostCat vulnerability.<\/p>\n<p>If our products are not vulnerable, why provide an announcement?\u00a0 First, the GhostCat vulnerability (CVE-2020-1938) is in the media and customers want to know if their ArcGIS deployment is vulnerable.\u00a0 Secondly, some customers choose to deploy Apache Tomcat separately with our products, such as in conjunction with the ArcGIS Java Web Adaptor, or together with Apache as a reverse proxy. \u00a0If your organization utilizes either of these configurations, we strongly recommend you validate if the AJP connector is enabled (the default vulnerable Tomcat configuration).<\/p>\n<p><strong>Verification<\/strong>: You can validate if the AJP connector is disabled for your Tomcat deployment by opening the &lt;Tomcat&gt;\/conf\/server.xml file and seeing if the connector has been commented out similar to the below:<\/p>\n<p>&lt;!\u2013 &lt;Connector port = &#8220;8009&#8221; protocol = &#8220;AJP \/ 1.x&#8221; redirectPort = &#8220;8443&#8221; \/&gt;\u00a0\u2013&gt;<\/p>\n<p><strong>Mitigation<\/strong>: If the Tomcat AJP connector is not disabled, and you are utilizing our <a href=\"https:\/\/enterprise.arcgis.com\/en\/web-adaptor\/latest\/install\/java-windows\/install-arcgis-web-adaptor-server.htm\">Web Adaptor<\/a>, feel free to comment out the connector to disable it right away.\u00a0 Of course, even better would be to upgrade to the latest version of Tomcat which fixes the vulnerability and switches to disabling AJP by default.\u00a0 Note that JBoss is also affected, but is significantly less common.<\/p>\n<p>This issue serves as a great reminder of the importance of security hardening your deployment, we include some <a href=\"https:\/\/trust.arcgis.com\/en\/security\/security-overview.htm#ESRI_SECTION1_76CBDF2A590442098F9064BA2792C6F0\">tools<\/a> to help with this when using our products, but ensure you also harden additional 3<sup>rd<\/sup> party components you add.\u00a0 A brief write-up concerning hardening Tomcat 8 is <a href=\"https:\/\/www.upguard.com\/articles\/15-ways-to-secure-apache-tomcat-8\">here<\/a> \u2013 notice the final step \u2013 minimize connectors \u2013 for most customers that will be done by disabling AJP\u2026<\/p>\n<p>Additional info about GhostCat may be found <a href=\"https:\/\/securityboulevard.com\/2020\/02\/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and\/\">here<\/a>.\u00a0 We will update this article if\/as necessary.<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><em>Esri&#8217;s Software Security &amp; Privacy Team<\/em><\/li>\n<\/ul>\n"}],"authors":[{"ID":3911,"user_firstname":"Michael","user_lastname":"Young","nickname":"Michael Young","user_nicename":"myoung1000","display_name":"Michael Young","user_email":"myoung@esri.com","user_url":"http:\/\/trust.arcgis.com","user_registered":"2018-03-02 00:15:29","user_description":"","user_avatar":"<img data-del=\"avatar\" src='https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg' class='avatar pp-user-avatar avatar-96 photo ' height='96' width='96'\/>"}],"related_articles":"","card_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2020\/03\/Ghostcat-wide.jpg","wide_image":false},"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v25.9 (Yoast SEO v25.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\" \/>\n<meta property=\"og:site_name\" content=\"ArcGIS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/esrigis\/\" \/>\n<meta property=\"article:modified_time\" content=\"2022-02-16T18:46:07+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@ESRI\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\"},\"author\":{\"name\":\"Michael Young\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\"},\"headline\":\"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability\",\"datePublished\":\"2020-03-04T06:33:12+00:00\",\"dateModified\":\"2022-02-16T18:46:07+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\"},\"wordCount\":8,\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"keywords\":[\"ArcGIS Trust Center\",\"Security\"],\"articleSection\":[\"Administration\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\",\"name\":\"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability\",\"isPartOf\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\"},\"datePublished\":\"2020-03-04T06:33:12+00:00\",\"dateModified\":\"2022-02-16T18:46:07+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.esri.com\/arcgis-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#website\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"name\":\"ArcGIS Blog\",\"description\":\"Get insider info from Esri product teams\",\"publisher\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#organization\",\"name\":\"Esri\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png\",\"width\":400,\"height\":400,\"caption\":\"Esri\"},\"image\":{\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/esrigis\/\",\"https:\/\/x.com\/ESRI\",\"https:\/\/www.linkedin.com\/company\/5311\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678\",\"name\":\"Michael Young\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"contentUrl\":\"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg\",\"caption\":\"Michael Young\"},\"sameAs\":[\"http:\/\/trust.arcgis.com\"],\"url\":\"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability","og_locale":"en_US","og_type":"article","og_title":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability","og_url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability","og_site_name":"ArcGIS Blog","article_publisher":"https:\/\/www.facebook.com\/esrigis\/","article_modified_time":"2022-02-16T18:46:07+00:00","twitter_card":"summary_large_image","twitter_site":"@ESRI","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#article","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability"},"author":{"name":"Michael Young","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678"},"headline":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability","datePublished":"2020-03-04T06:33:12+00:00","dateModified":"2022-02-16T18:46:07+00:00","mainEntityOfPage":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability"},"wordCount":8,"publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"keywords":["ArcGIS Trust Center","Security"],"articleSection":["Administration"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability","url":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability","name":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability","isPartOf":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#website"},"datePublished":"2020-03-04T06:33:12+00:00","dateModified":"2022-02-16T18:46:07+00:00","breadcrumb":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.esri.com\/arcgis-blog\/products\/arcgis-online\/administration\/dont-get-bitten-by-ghostcat-tomcat-vulnerability#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.esri.com\/arcgis-blog\/"},{"@type":"ListItem","position":2,"name":"Don\u2019t Get Bitten by GhostCat Tomcat Vulnerability"}]},{"@type":"WebSite","@id":"https:\/\/www.esri.com\/arcgis-blog\/#website","url":"https:\/\/www.esri.com\/arcgis-blog\/","name":"ArcGIS Blog","description":"Get insider info from Esri product teams","publisher":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.esri.com\/arcgis-blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.esri.com\/arcgis-blog\/#organization","name":"Esri","url":"https:\/\/www.esri.com\/arcgis-blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2018\/04\/Esri.png","width":400,"height":400,"caption":"Esri"},"image":{"@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/esrigis\/","https:\/\/x.com\/ESRI","https:\/\/www.linkedin.com\/company\/5311\/"]},{"@type":"Person","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/b1e77881551053100a9cef9dba632678","name":"Michael Young","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.esri.com\/arcgis-blog\/#\/schema\/person\/image\/","url":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","contentUrl":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2021\/12\/SSP-213x200.jpg","caption":"Michael Young"},"sameAs":["http:\/\/trust.arcgis.com"],"url":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000"}]}},"text_date":"March 3, 2020","author_name":"Michael Young","author_page":"https:\/\/www.esri.com\/arcgis-blog\/author\/myoung1000","custom_image":"https:\/\/www.esri.com\/arcgis-blog\/app\/uploads\/2025\/08\/Newsroom-Keyart-Wide-1920-x-1080.jpg","primary_product":"ArcGIS Online","tag_data":[{"term_id":24081,"name":"ArcGIS Trust Center","slug":"ssamymlgp","term_group":0,"term_taxonomy_id":24081,"taxonomy":"post_tag","description":"","parent":0,"count":96,"filter":"raw"},{"term_id":24071,"name":"Security","slug":"security","term_group":0,"term_taxonomy_id":24071,"taxonomy":"post_tag","description":"","parent":0,"count":126,"filter":"raw"}],"category_data":[{"term_id":37501,"name":"Administration","slug":"administration","term_group":0,"term_taxonomy_id":37501,"taxonomy":"category","description":"","parent":0,"count":430,"filter":"raw"}],"product_data":[{"term_id":36571,"name":"ArcGIS Enterprise","slug":"arcgis-enterprise","term_group":0,"term_taxonomy_id":36571,"taxonomy":"product","description":"","parent":0,"count":994,"filter":"raw"},{"term_id":36551,"name":"ArcGIS Online","slug":"arcgis-online","term_group":0,"term_taxonomy_id":36551,"taxonomy":"product","description":"","parent":0,"count":2445,"filter":"raw"},{"term_id":763582,"name":"ArcGIS Trust Center","slug":"trust-arcgis","term_group":0,"term_taxonomy_id":763582,"taxonomy":"product","description":"Reserved for articles authored by the ArcGIS Trust Center team","parent":36981,"count":89,"filter":"raw"}],"primary_product_link":"https:\/\/www.esri.com\/arcgis-blog\/?s=#&products=arcgis-online","_links":{"self":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/756201","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog"}],"about":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/types\/blog"}],"author":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/users\/3911"}],"replies":[{"embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/comments?post=756201"}],"version-history":[{"count":0,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/blog\/756201\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/media?parent=756201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/categories?post=756201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/tags?post=756201"},{"taxonomy":"industry","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/industry?post=756201"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.esri.com\/arcgis-blog\/wp-json\/wp\/v2\/product?post=756201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}