On February 24, 2020, a long-standing, high impact vulnerability was disclosed in Apache Tomcat. Codenamed Ghostcat, it is an exploit of a bug in the AJP protocol. As Loway products by default ship with a Tomcat container, we would like to clarify the situation for those who are concerned about the safety of their QueueMetrics or WombatDialer installations. Don’t panic.

  • The vulnerability is in the protocol AJP that Tomcat uses for Apache front-ends. This protocol is switched on by default in Tomcat installations, but in recent Loway packages distribuited using yum or Docker we explicitly switch it off (as it’s not widely used anymore) so they are not affected.
  • QueueMetrics Live is not at risk.
  • If you installed QueueMetrics or WombatDialer manually, or you modified the default settings to use AJP, then your Tomcat install may be unsecured.
  • If you still run an installation set-up before March 2019, then it might be at risk and it’s time to update it.

Am I vulnerable?

If your packaged QueueMetrics or WombatDialer installation are up-to-date, then the problem does not exist. So the easiest workaround is simply to upgrade to the current versions using yum.

If you think your installation might be at risk, run the following command:

	lsof -i -P | grep '*:8009'

If you see no output, you are safe. If you see output like:

	java     4242 root   41u  IPv6  16887      0t0  TCP *:8009 (LISTEN)

Then you are vulnerable.

Workaround

If for some reason you cannot simply update at the moment, edit the file /usr/local/queuemetrics/tomcat/conf/server.xml (or wherever your server.xml file is stored) and remove the lines:

	<!-- Define an AJP 1.3 Connector on port 8009 -->
	<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

then restart your Tomcat container.

References

keyboard_arrow_left Back