Apache Tomcat RCE Vulnerability - April19 (Windows)

Hi @softwrite1,

Safe Software are aware of this vulnerability which involves Apache Tomcat’s Common Gateway Interface (CGI) Servlet. FME Server 2019 uses version 8.5.32 and also does not use the CGI protocol so this should not be an issue for our users.

You can confirm this by reviewing your tomcat web.xml and searching for 'CGIServlet' and you should see this is disabled by default.

Hi @hollyatsafe,

Another Tomcat vulnerability on recent Tomcat versions -

https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html

https://www.chaitin.cn/en/ghostcat

Any updates on this please? Thanks!

Hi @fmeuser_gc, our team is actively looking into the issue you have highlighted and we will provide an update regarding any mitigation or action required.

We have determined that the AJP Connector is not required for FME Server processes. Before we release any product updates we will run this change internally against our full test suite.

You might consider implementing the suggestions from the article(s) you have linked above if you have more immediate concerns.

We will post content to the FME Community after we analyze the results of internal testing.

If you need updates in a more timely fashion, or have additional questions or concerns, please reach out to our Support Team.

Update on this Tomcat Vulnerability - The solution here is either to upgrade Tomcat to latest version or disable AJP connector in server.xml file.

Hi @rylanatsafe, the confusion here was the AJP connector was enabled (by default) though it's not needed. We've disabled it now and looks okay.

@fmeuser_gc You are correct on both accounts! We plan to publish an article detailing how FME Server admins can disable the AJP Connector for their existing installations. We will disable this component in the product, and will schedule a Tomcat upgrade (as you note, where it's disabled by default now).

There were no issues observed after our internal testing.

Just an FYI that I did an install of 2020.0.0.1-b20202-win-x64 that still has the AJP connector enabled. It looks like this is not disabled by default until 9.0.31, 9.0.24 is what was installed with the default windows install. Commenting out the AJP connector doesn't seem to affect anything.

Hi @jeovis, the AJP Connector will be disabled by default in the next minor update of FME Server 2020.0.

As you have noticed it doesn't affect anything – we do not use this component with FME Server.

@rylanatsafe Hi, we are running FME Server 2019.2.1 Build 19813 - win32 . Can we safely upgrade tomcat to version 9.0.31 without upgrading the FME server?

Is the article regarding disable the AJP connector already available?

Kind regards

Francis

Hi @fbulco, I'm sorry that we haven't posted this information more generally yet. The fix for the AJP Connector is simple enough that you can comment out the following lines in <FMEServerDir>\Utilities\tomcat\conf\server.xml 

<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

We have not used this Connector in any FME Server processes.

As for upgrading Tomcat, we have performed extensive testing with Tomcat 9.0.24, so while there are no known issues with 9.0.31, please note that it has not been included in our standard test coverage.

Hope that helps!

@jsarris, Yes, you can disable the AJP connector. There shouldn't be any impact.

FYI, this will be disabled by default from next versions.

Any users that come across this post looking for information on the AJP Connector vulnerability please see this article for more information.