KonaKart Community Forum

Installation / Configuration => Configuration of KonaKart => Topic started by: smudge on April 03, 2020, 02:24:44 pm

Title: Ghostcat vulnerability
Post by: smudge on April 03, 2020, 02:24:44 pm
I read about the Ghostcat vulnerability - the subject of CVE-2020-1938

Is KonaKart vulnerable to that?
Title: Re: Ghostcat vulnerability
Post by: Brian on April 03, 2020, 02:34:45 pm
You need to take steps to ensure your installation of tomcat is not exposed to this vulnerability.

First of all, not all installations need the AJP Connector to be enabled.  If you don't need it... simply comment out the Connector in your tomcat's server.xml (you'll find that in the installation's conf directory).

The AJP connector is often used for communication between an Apache Web Server and Tomcat.   

If you use the AJP connector you must ensure that your firewall is configured to protect the AJP listening port from all locations that don't need access to it.  You should ensure your AJP port is not accessible from external IP addresses.

Note that not all versions of tomcat are affected.

It is certainly recommended that you upgrade to a version of Tomcat that has the fix.  Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later resolve the problem.