New: April 20, 2020

Apache Tomcat is a very popular software package used to run Java ‘servlets’ and other web-facing services. A serious vulnerability was found in a protocol known as AJP used for communications between Tomcat and other software packages such as Apache httpd. Tomcat is used explicitly and is imbedded in other software packages.

The vulnerability can be exploited when attackers try to communicate to the AJP service. Remote code execution is a possible impact to an exploit. Please review the following recommendations to remediate the risk of compromise.

Recommended Actions:

  1. Please identify all instances of Tomcat software running within your environment. These may be imbedded in existing server services.
  2. There are software updates for the Tomcat versions 7, 8, 9. These should be installed ASAP if possible.
  3. Make changes to the AJP configuration to prevent possible exploit in Tomcat as outlined in the sources below.

References: