Does the Apache Tomcat "GhostCat" vulnerability affect NuGenesis? - WKB96283

ENVIRONMENT

• NuGenesis 9 SDMS Web servers
  • Apache Tomcat 9.0.8
• NuGenesis 8 SDMS Web servers
  • Apache Tomcat 6.0.29

ANSWER

The default configuration of Apache Tomcat in NuGenesis 8 and 9.0 does enable the AJP Connector on port 8009. NuGenesis does not use port 8009 or the AJP protocol, and this port is typically blocked by a firewall from reaching the server. However, it could be used by an attacker inside the network to identify a server as a Tomcat server during a port scan, and thus, you should disable it.  NuGenesis 9.1 disables the AJP connector port by default.

1. Edit the file server.xml in the NuGenesis installation path:
   • NuGenesis 9: Drive:\Program Files (x86)\Waters\apache-tomcat-9.0.8\conf\server.xml
   • NuGenesis 8: Drive:\Program Files (x86)\apache-tomcat-6.0.29\conf\server.xml
2. Comment-out the following line:
   • <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
3. Save and close the file. Restart the Apache Tomcat service.

ADDITIONAL INFORMATION

Several versions of Apache Tomcat later than 6.0.29 were informally tested, and found to be compatible with NuGenesis 8.  All of those versions are also subject to the GhostCat vulnerability by default. The recommendation above is applicable regardless of the Tomcat version in use with NuGenesis 8.

For NuGenesis 9 SDMS, the only tested and supported version of Apache Tomcat is v9.0.8.