Closing a security gap in the Apache-Tomcat software used by us
As was reported last week in an article by heise online, there is a critical security gap known as “Ghostcat” in Apache-Tomcat in the versions from 6.0. An attack via the so-called “AJP Connector Service” is possible.
The gap can be closed in the short term by avoiding unauthorised access (e.g. firewall) on the AJP Connector Service Port (Default-Port 8009), or by completely deactivating the service. This service is not used by InterCard products, which use only the HTTP Connector.
The deactivation of the AJP Connector Service can be carried out as follows:
- Open configuration file <CATALINA_BASE>/conf/server.xml öffnen (<CATALINA_BASE> represents the Tomcat folder). We urgently recommend that you make a backup copy of the configuration file beforehand.
- Comment out or erase the following line:
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ /> The values for the ports can differ from the example listed.
- Save the changes in the file and restart the Tomcat.
Apache-Tomcat is used in the following InterCard products:
- smart.TO.GET (Schnittstelle für Validierungen)
- my.InterCard Payment-Service
- Automatenlinien smart.UP, add.UP, smart.BOOK, smart.GET, smart.MOVE, smart.EXPERT und vario.UP
If you need support for the deactivation of the AJP Connector Service, please contact our hotline (+49 7720 9945-55, firstname.lastname@example.org).