Ghostcat vulnerability in Tomcat (CVE-2020-1938)

IMPORTANT NOTE FROM 2020-05-12 Tomcat had a bug with AJP and IIS over HTTPS. Ivy 7.0.17 and 8.0.4/8.0.5 are affected by this bug. You will need to upgrade to 7.0.18 and 8.0.6.

The Axon.ivy Digital Business Platform is using Tomcat as web server. Ghostcat 👻😼 (CVE-2020-1938) is a security vulnerability in Tomcat and is related to the AJP protocol. AJP is a binary protocol and is used in conjunction with a reverse proxy like IIS or Apache httpd. A secure Axon.ivy Engine setup always includes a reverse proxy, like the following example:

Browser --> (HTTP, HTTPS) --> Reverse Proxy (IIS, Apache, ...) --> (AJP) --> Axon.ivy Engine

HTTP or HTTPS is also possible as communication protocol between the reverse proxy and the Axon.ivy Engine, but AJP is the most used setup, especially in Windows environments.

Are you affected by this vulnerability?

• 8.0 You are affected by this issue if you have explicitly enabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.
• 7.0 You are affected by this issue if you not have explicitly disabled the AJP port and have not explicitly protected access to the Axon.ivy engine for example with a firewall.

How to fix this without updating?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

• Yes. You need to bind the AJP port only to localhost by setting the property Connector.AJP.Address to localhost in ivy.yaml and restart the Axon.ivy Engine. The AJP port is now only available on the host itself. For Axon.ivy 7.0 you need to set the system property WebServer.AJP.Address to localhost.
• No. Configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

What will change in Axon.ivy 7.0.17 and 8.0.6?

Axon.ivy will come with the latest Tomcat version:

• Axon.ivy 8.0.6 comes with Tomcat 9.0.35
• Axon.ivy 7.0.18 comes with Tomcat 8.5.55

Tomcat has changed the default behavior of the AJP port. AJP is now bound by default to localhost and not anymore to every network interface (nic). This means nobody can access the Axon.ivy Engine from another host via AJP. Furthermore the AJP port is now also disabled by default in Axon.ivy 7.0.18.

What do you have to do when upgrading to 7.0.18?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

• Yes. Just make sure that the system property WebServer.AJP.Address is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
• No. You need to bind the AJP port to the public network address by setting the system property WebServer.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

If you don't use a reverse proxy at all, then you need to disable the AJP port by setting the system property WebServer.AJP.Enabled to false.

What do you have to do when upgrading to 8.0.6?

Is your reverse proxy running on the same host as the Axon.ivy Engine?

• Yes. Just make sure that Connector.AJP.Address in ivy.yaml is empty after the upgrade. So we take the Tomcat default and the AJP port is only available locally.
• No. You need to bind the AJP port to the public network address by setting the property Connector.AJP.Address to YOUR_AXON_IVY_ENGINE_IP_ADDRESS in ivy.yaml. Additionally, you need to configure your network to ensure exclusive access between the reverse proxy and the Axon.ivy Engine. If this is not possible, you will need to setup a firewall on the host where the Axon.ivy Engine is running. Only requests from the reverse proxy must be allowed.

isapi.dll and mod_jk.so upgrades

We also bundle with the upcoming release the latest version of isapi.dll and mod_jk.so. They are needed by the reverse proxy (IIS, Apache httpd). We recommend to upgrade them on the reverse proxy as described in the migration guide.

What about secret and secretRequired?

You may have read something about secret or secretRequired. This is an alternative way to protect the communication between the reverse proxy and Axon.ivy Engine. We believe that a secure communication between the reverse proxy and the Axon.ivy Engine should be protected by firewall rules even in trusted networks and therefore this is not needed.

If you don't have the same opinion, we would love to hear 👂 why!

If you really want to use secret and secretRequired, you can define them in ivy.yaml (see configuration). Furthermore you need to define the secret itself in the [worker.properties][5] as part of the reverse proxy installation.

Security is important to us 💯 %

We, the platform development team, take security very seriously. If you have any questions or find other weaknesses, please do not hesitate to contact us.