Apache Tomcat Latest

Upgrade Apache Tomcat using the All-in-one installer (Windows) Apache Tomcat is a mandatory component required to run the ESMC Web Console. You can use this method to quickly upgrade Apache Tomcat using the latest ESMC 7.2 All-in-one installer. Alternatively, you. JAVA x8664 Third-Party tomcat-9.0.36-lp152.252.1.noarch.rpm: Apache Servlet/JSP/EL Engine, RI for Servlet 4.0/JSP 2.3/EL 3.0 API: openSUSE Oss aarch64 Official tomcat-9.0.35-lp152.1.1.noarch.rpm. You can download the latest version of Tomcat from the Apache project site. Click here to see the list of available versions. Most Linux users will want to use the latest TAR package. To download the package directly from the Linux command line, you'll use a command that looks something like this. Tomcat 9 is the latest version of Apache's Tomcat service and can easily be installed on Windows to serve as a convenient way to run Java. There are many features and tools that Tomcat 9 has to offer that can make the deployment of web pages more manageable, including the use of JavaServer Pages.

1. Apache Tomcat Latest Release
2. Tomcat 8.5.63 Download

{{{#!wiki red/solid Beginning with Solr 5.0, Solr is no longer distributed as a 'war' (Web Application Archive) suitable for deployment in any Servlet Container. Solr is now distributed as a stand alone java server application, including start and stop scripts for use on Unix and MS-Windows platforms, as well as an installation script for setting up a 'production' installation of Solr on *nix platforms managed via /etc/init.d. See https://wiki.apache.org/solr/WhyNoWar
}}}

Solr has been tested on Tomcat 5.5, 6, and 7. In Tomcat 7 there was a bug with resolving URLs ending in '/'. This should be fixed in Tomcat 7.0.5+, see SOLR-2022 for full details.

See the instructions in the generic Solr installation page for general info before consulting this page.

Simple Example Install

Solr4.3 requires completely different deployment. These instructions are not current and are for an indeterminate version of Solr.

Though this page needs to be completely re-written for the latest Solr version, here are the main differences with Solr 4.3 (at least for running a single instance). These steps are required for both Linux and Windows.

• Java 1.7 is required
• The JAR files from the Solr lib/ext directory (something like /opt/solr/example/lib/ext) must be copied to $CATALINA_HOME/lib/
• The log4j.properties file from the resources file (something like /opt/solr/example/resources) must be copied to $CATALINA_HOME/lib/
  

Installing Tomcat 6

Apache Tomcat is a web application server for Java servlets. These are instructions for manually installing Tomcat 6 on Linux, recommended because distribution Tomcats are either old or quirky.

Create the solr user. As solr, extract the Tomcat 6.0 download into /opt/tomcat6, hereafter referred to as the $CATALINA_HOME directory.

Edit $CATALINA_HOME/conf/tomcat-users.xml to enable the manager login as user 'tomcat' with password 'tomcat' (insecure):

Start Tomcat with $CATALINA_HOME/bin/catalina.sh run. Tomcat runs on the port defined $CATALINA_HOME/conf/server.xml, configured by default to port 8080.

The startup script tomcat6 can be placed in /etc/init.d/tomcat6 on CentOS/RedHat/Fedora so that you can start Tomcat using service tomcat6 start. Use chkconfig to enable the tomcat6 service to start on boot.

Building Solr

Skip this section if you have a binary distribution of Solr. These instructions are for building Solr from source, if you have a nightly tarball or have checked out the trunk from subversion at http://svn.apache.org/repos/asf/lucene/dev/trunk. Assumes that you have JDK 1.6 already installed.

In the source directory, run ant dist to build the .war file under dist. Build the example for the Solr tutorial by running ant example. Change to the 'example' directory, run java -jar start.jar and visit localhost:8983/solr/admin to test that the example works with the Jetty container.

Installing Solr instances under Tomcat

Assuming that Solr and its example are built, this is how to install the Solr example as an instance under Tomcat.

Copy the example/solr directory from the source to the installation directory like /opt/solr/example/solr, herafter $SOLR_HOME. Copy the .war file dist/apache-solr-*.war into $SOLR_HOME as solr.war.

The configuration file $SOLR_HOME/conf/solrconfig.xml in the example sets dataDir for the index to be ./solr/data relative to the current directory - which is true for running the Jetty server provided with the example, but incorrect for Tomcat running as a service. Modify the dataDir to specify the full path to $SOLR_HOME/data:

The dataDir can also be temporarily overridden with the JAVA_OPTS environment variable prior to starting Tomcat:

Create a Tomcat Context fragment to point docBase to the $SOLR_HOME/solr.war file and solr/home to $SOLR_HOME:

Symlink or place the file in $CATALINA_HOME/conf/Catalina/localhost/solr-example.xml, where Tomcat will automatically pick it up. Tomcat deletes the file on undeploy (which happens automatically if the configuration is invalid).

Repeat the above steps with different installation directories to run multiple instances of Solr side-by-side.

If Tomcat is not already running, start it with service tomcat6 start or $CATALINA_HOME/bin/startup.sh run. The Solr admin should be available at http://:8080/solr-example/admin.

Single Solr Instance

If you are sure that you will only ever run one instance of Solr, you can do away with the Context fragment by placing the .war in $CATALINA_HOME/webapps/solr-example.war and setting the Solr home through a global environment variable prior to starting Tomcat:

Troubleshooting

Login to Tomcat Management page does not work

$CATALINA_HOME/conf/tomcat-users.xml may be missing the correct user line.

Tomcat Manager does not list Solr

The Context fragment may be invalid. Examine $CATALINA_HOME/tomcat6/logs/catalina.out.

Exceptions when visiting Solr admin

View $CATALINA_HOME/logs/catalina.out for a better view of the exceptions. Probably caused by an incorrect path in solrconfig.xml or the Context fragment, or by an unclean build (run ant clean and rebuild the source).

HTTP 500 error

If, when installing Solr 3.5, you get an HTTP 500 error and the exception message begins with

the problem is caused by incorrect locations in $SOLR_HOME/conf/solrconfig.xml and can be fixed by reading The Solr 3.5 Post-Release Notes.

Optional Configuration

Logging

For information about controlling JDK Logging (aka: java.util logging) in Tomcat, please consult the Tomcat docs... http://tomcat.apache.org/tomcat-6.0-doc/logging.html

URI Charset Config (only needed before Solr 4.1)

Solr4.1 Solr now parses request parameters (in URL or sent with POST using content-type application/x-www-form-urlencoded) in its dispatcher code. It no longer relies on special configuration settings in Tomcat or other web containers to enable UTF-8 encoding, which is mandatory for correct Solr behaviour.

Solr now works out of the box with e.g. Tomcat, JBoss,...

In older Solr versions (before Solr4.1), you have to revisit this: Edit Tomcat's conf/server.xml and add the following attribute to the correct Connector element: URIEncoding='UTF-8'.

Configuring Solr Home with JNDI

A Tomcat context fragments can be used to configure the JNDI property needed to specify your Solr Home directory.

Just put a context fragment file under $CATALINA_HOME/conf/Catalina/localhost that looks something like this...

$ cat /tomcat55/conf/Catalina/localhost/solr.xml

A few things to keep in mind:

• The 'conf/Catalina/localhost' directory may not exist by default in your installation. You may have to create it.
• '/some/path/solr.war' is the absolute path to where ever you want to keep the Solr war using the appropriate syntax for your Operating System. In Tomcat 5.5 and later, the war file must be stored outside of the webapps directory for this to work. Otherwise, this entire Context element is ignored.
• '/my/solr/home' should be to where you have created your Solr Home directory, using the appropriate syntax for your Operating System.
• Prior to Tomcat 5.5, a 'path' attribute was required for Context elements (starting with 5.5, the path attribute must not be used except when statically defining a Context in server.xml, as it will be inferred from the Context fragment filename.
  

Enabling Longer Query Requests

If you try to submit too long a GET query to Solr, then Tomcat will reject your HTTP request on the grounds that the HTTP header is too large; symptoms may include an HTTP 400 Bad Request error or (if you execute the query in a web browser) a blank browser window.

If you need to enable longer queries, you can set the maxHttpHeaderSize attribute on the HTTP Connector element in your server.xml file. The default value is 4K. (See http://tomcat.apache.org/tomcat-5.5-doc/config/http.html)

Multiple Solr Webapps

Tomcat context fragments make configuring multiple Solr webapps (with JNDI) in a single Tomcat server easy.

Just follow the previous instructions for 'Configuring Solr Home with JNDI' to create a seperate context fragment file under $CATALINA_HOME/conf/Catalina/localhost for each solr webapp you want to run:

$ cat /tomcat55/conf/Catalina/localhost/solr1.xml

$ cat /tomcat55/conf/Catalina/localhost/solr2.xml

Don't put anything related to Solr under the webapps directory.

The solr home directories are configured via JNDI in the context fragment, and in the examples above will be /some/path/solr1home and /some/path/solr2home The URLs to the two webapps will be http://host:port/solr1 and http://host:port/solr2

Tomcat on Windows

Single Solr app

• Download and install Tomcat for Windows using the MSI installer. Install it with the tcnative.dll file. Say you installed it in c:tomcat
• Check if Tomcat is installed correctly by going to http://localhost:8080/
• Change the c:tomcatconfserver.xml file to add the URIEncoding Connector element as shown above.
• Download and unzip the Solr distribution zip file into (say) c:tempsolrZip
• Make the 'solr home' directory called, where you intend the application server to function, say c:websolr
• Copy the contents of the examplesolr directory c:tempsolrZipexamplesolr to c:websolr
• Stop the Tomcat service
• Copy the *solr*.war file from c:tempsolrZipdist to the Tomcat webapps directory c:tomcatwebapps
• Rename the *solr*.war file solr.war
• Configure Tomcat to recognize the solr home directory you created, by adding the Java Options -Dsolr.solr.home=c:websolr and -Dsolr.velocity.enabled=false
  • either use the system tray icon to add the java option
  • or manually edit the environment script c:tomcatbinsetenv.bat and add it to JAVA_OPTS
• * Note: For Tomcat 7 and Solr3.4(last version on 2011-09-23), the above option on setenv.bat may not work, so you could not use it and put this code fragment
  on $CATALINA_HOME/conf/Catalina/localhost/solr.xml
• Start the Tomcat service
• Go to the solr admin page to verify that the installation is working. It will be at http://localhost:8080/solr/admin
• NOTES: The following are notes from a novice installer on Windows 7, Tomcat 7.0.50, and Solr 4.7.0. I had help from http://stackoverflow.com/questions/17619809/installing-apache-solr-4-3-1-on-apache-tomcat-6-0. I'm not sure everything is elegant, but this is how I got it working.
  • Follow the instructions above.
  • Logging Jars: Make sure to copy the logging jars from C:solr-4.7.0examplelibext to the Tomcat lib directory (such as C:apache-tomcat-7.0.50lib) or you will likely get a 'severe error filterstart' error when starting Tomcat.
  • Folder Structure: In my case, I named the root folder C:solr-4.7.0, I made a subfolder called C:solr-4.7.0solr_home, and I copied the contents of C:solr-4.7.0examplesolr directly into into C:solr-4.7.0solr_home. So inside C:solr-4.7.0solr_home there should be 'bin' and a 'collection1' subfolders as well as several files.
  • Tomcat Startup: I started tomcat using C:apache-tomcat-7.0.50binstartup.bat. I modified this file by adding the line 'set JAVA_OPTS=-Dsolr.solr.home=c:solr-4.7.0solr_home -Dsolr.velocity.enabled=false' and things worked.
  • So far I have not needed to modify the URIEncoding Connector as mentioned above. I believe that may not be necessary with solr-4.7.0+, but not sure.
  • Tomcat by default runs on port 8080. Solr includes a Java application called post.jar for posting data to the index, which is referenced in the tutorial. It can be found in C:solr-4.7.0exampleexampledocs. Make sure that you pass this application the correct port number as by default it expects port 8983 and you'll get a connection error. For example, at a windows command prompt, 'java -Durl=http://localhost:8080/solr/update -jar post.jar hd.xml'

Multiple Solr apps

• Download and install Tomcat for Windows using the MSI installer. Install it with the tcnative.dll file. Say you installed it in c:tomcat
• Check if Tomcat is installed correctly by going to http://localhost:8080/
• Change the c:tomcatconfserver.xml file to add the URIEncoding Connector element as shown above.
• Download and unzip the Solr distribution zip file into (say) c:tempsolrZip
• Say you need two apps in c:websolr1 and c:websolr2; create these two directories
• Copy the contents of the examplesolr directory c:tempsolrZipexamplesolr to c:websolr1 and to c:websolr2
• Stop the Tomcat service
• Copy the *solr*.war file from c:tempsolrZipdist to the Tomcat lib directory c:tomcatlib
• Rename the *solr*.war file solr.war
• Make a new text file in c:tomcatconfCatalinalocalhost called solr1.xml with the following code fragment
• Make a new text file in c:tomcatconfCatalinalocalhost called solr2.xml with the following code fragment
• Start the Tomcat service
• Go to the solr admin pages for the 2 webapps to verify that the installation is working. It will be at http://localhost:8080/solr1/admin and http://localhost:8080/solr2/admin
  

64-bit Note

The MSI installer that installs Tomcat as a Windows service isn't prepared to support 64-bit Windows out of the box. There are some straightforward workarounds, though. See http://stackoverflow.com/questions/211446/how-to-run-tomcat-6-on-winxp-64-bit

Apache Tomcat Latest Release

//! TODO //!

Indicate how to index in tomcat (rather than built-in jetty support via start.jar).

To use the indexing examples in the Solr Tutorial, use the -Durl parameter, e.g.

External Resources

Troubleshooting Errors

It's possible that you get an error related to the following:

This is due to your tomcat instance not having the xalan jar file in the classpath. It took me some digging to find this, and thought it might be useful for others. The location varies from distribution to distribution, but I essentially just added (via a symlink) the jar file to the shared/lib directory under the tomcat directory.

Solr Tomcat Distributions

HDS - Heliosearch Distribution for Solr

Heliosearch Distribution for Solr contains a pre-configured Tomcat based Solr server that is open source and free to use.

the problem is caused by incorrect locations in $SOLR_HOME/conf/solrconfig.xml and can be fixed by reading The Solr 3.5 Post-Release Notes.

Optional Configuration

Logging

For information about controlling JDK Logging (aka: java.util logging) in Tomcat, please consult the Tomcat docs... http://tomcat.apache.org/tomcat-6.0-doc/logging.html

URI Charset Config (only needed before Solr 4.1)

Solr4.1 Solr now parses request parameters (in URL or sent with POST using content-type application/x-www-form-urlencoded) in its dispatcher code. It no longer relies on special configuration settings in Tomcat or other web containers to enable UTF-8 encoding, which is mandatory for correct Solr behaviour.

Solr now works out of the box with e.g. Tomcat, JBoss,...

In older Solr versions (before Solr4.1), you have to revisit this: Edit Tomcat's conf/server.xml and add the following attribute to the correct Connector element: URIEncoding='UTF-8'.

Configuring Solr Home with JNDI

A Tomcat context fragments can be used to configure the JNDI property needed to specify your Solr Home directory.

Just put a context fragment file under $CATALINA_HOME/conf/Catalina/localhost that looks something like this...

$ cat /tomcat55/conf/Catalina/localhost/solr.xml

A few things to keep in mind:

• The 'conf/Catalina/localhost' directory may not exist by default in your installation. You may have to create it.
• '/some/path/solr.war' is the absolute path to where ever you want to keep the Solr war using the appropriate syntax for your Operating System. In Tomcat 5.5 and later, the war file must be stored outside of the webapps directory for this to work. Otherwise, this entire Context element is ignored.
• '/my/solr/home' should be to where you have created your Solr Home directory, using the appropriate syntax for your Operating System.
• Prior to Tomcat 5.5, a 'path' attribute was required for Context elements (starting with 5.5, the path attribute must not be used except when statically defining a Context in server.xml, as it will be inferred from the Context fragment filename.
  

Enabling Longer Query Requests

If you try to submit too long a GET query to Solr, then Tomcat will reject your HTTP request on the grounds that the HTTP header is too large; symptoms may include an HTTP 400 Bad Request error or (if you execute the query in a web browser) a blank browser window.

If you need to enable longer queries, you can set the maxHttpHeaderSize attribute on the HTTP Connector element in your server.xml file. The default value is 4K. (See http://tomcat.apache.org/tomcat-5.5-doc/config/http.html)

Multiple Solr Webapps

Tomcat context fragments make configuring multiple Solr webapps (with JNDI) in a single Tomcat server easy.

Just follow the previous instructions for 'Configuring Solr Home with JNDI' to create a seperate context fragment file under $CATALINA_HOME/conf/Catalina/localhost for each solr webapp you want to run:

$ cat /tomcat55/conf/Catalina/localhost/solr1.xml

$ cat /tomcat55/conf/Catalina/localhost/solr2.xml

Don't put anything related to Solr under the webapps directory.

The solr home directories are configured via JNDI in the context fragment, and in the examples above will be /some/path/solr1home and /some/path/solr2home The URLs to the two webapps will be http://host:port/solr1 and http://host:port/solr2

Tomcat on Windows

Single Solr app

• Download and install Tomcat for Windows using the MSI installer. Install it with the tcnative.dll file. Say you installed it in c:tomcat
• Check if Tomcat is installed correctly by going to http://localhost:8080/
• Change the c:tomcatconfserver.xml file to add the URIEncoding Connector element as shown above.
• Download and unzip the Solr distribution zip file into (say) c:tempsolrZip
• Make the 'solr home' directory called, where you intend the application server to function, say c:websolr
• Copy the contents of the examplesolr directory c:tempsolrZipexamplesolr to c:websolr
• Stop the Tomcat service
• Copy the *solr*.war file from c:tempsolrZipdist to the Tomcat webapps directory c:tomcatwebapps
• Rename the *solr*.war file solr.war
• Configure Tomcat to recognize the solr home directory you created, by adding the Java Options -Dsolr.solr.home=c:websolr and -Dsolr.velocity.enabled=false
  • either use the system tray icon to add the java option
  • or manually edit the environment script c:tomcatbinsetenv.bat and add it to JAVA_OPTS
• * Note: For Tomcat 7 and Solr3.4(last version on 2011-09-23), the above option on setenv.bat may not work, so you could not use it and put this code fragment
  on $CATALINA_HOME/conf/Catalina/localhost/solr.xml
• Start the Tomcat service
• Go to the solr admin page to verify that the installation is working. It will be at http://localhost:8080/solr/admin
• NOTES: The following are notes from a novice installer on Windows 7, Tomcat 7.0.50, and Solr 4.7.0. I had help from http://stackoverflow.com/questions/17619809/installing-apache-solr-4-3-1-on-apache-tomcat-6-0. I'm not sure everything is elegant, but this is how I got it working.
  • Follow the instructions above.
  • Logging Jars: Make sure to copy the logging jars from C:solr-4.7.0examplelibext to the Tomcat lib directory (such as C:apache-tomcat-7.0.50lib) or you will likely get a 'severe error filterstart' error when starting Tomcat.
  • Folder Structure: In my case, I named the root folder C:solr-4.7.0, I made a subfolder called C:solr-4.7.0solr_home, and I copied the contents of C:solr-4.7.0examplesolr directly into into C:solr-4.7.0solr_home. So inside C:solr-4.7.0solr_home there should be 'bin' and a 'collection1' subfolders as well as several files.
  • Tomcat Startup: I started tomcat using C:apache-tomcat-7.0.50binstartup.bat. I modified this file by adding the line 'set JAVA_OPTS=-Dsolr.solr.home=c:solr-4.7.0solr_home -Dsolr.velocity.enabled=false' and things worked.
  • So far I have not needed to modify the URIEncoding Connector as mentioned above. I believe that may not be necessary with solr-4.7.0+, but not sure.
  • Tomcat by default runs on port 8080. Solr includes a Java application called post.jar for posting data to the index, which is referenced in the tutorial. It can be found in C:solr-4.7.0exampleexampledocs. Make sure that you pass this application the correct port number as by default it expects port 8983 and you'll get a connection error. For example, at a windows command prompt, 'java -Durl=http://localhost:8080/solr/update -jar post.jar hd.xml'

Multiple Solr apps

• Download and install Tomcat for Windows using the MSI installer. Install it with the tcnative.dll file. Say you installed it in c:tomcat
• Check if Tomcat is installed correctly by going to http://localhost:8080/
• Change the c:tomcatconfserver.xml file to add the URIEncoding Connector element as shown above.
• Download and unzip the Solr distribution zip file into (say) c:tempsolrZip
• Say you need two apps in c:websolr1 and c:websolr2; create these two directories
• Copy the contents of the examplesolr directory c:tempsolrZipexamplesolr to c:websolr1 and to c:websolr2
• Stop the Tomcat service
• Copy the *solr*.war file from c:tempsolrZipdist to the Tomcat lib directory c:tomcatlib
• Rename the *solr*.war file solr.war
• Make a new text file in c:tomcatconfCatalinalocalhost called solr1.xml with the following code fragment
• Make a new text file in c:tomcatconfCatalinalocalhost called solr2.xml with the following code fragment
• Start the Tomcat service
• Go to the solr admin pages for the 2 webapps to verify that the installation is working. It will be at http://localhost:8080/solr1/admin and http://localhost:8080/solr2/admin
  

64-bit Note

The MSI installer that installs Tomcat as a Windows service isn't prepared to support 64-bit Windows out of the box. There are some straightforward workarounds, though. See http://stackoverflow.com/questions/211446/how-to-run-tomcat-6-on-winxp-64-bit

Apache Tomcat Latest Release

//! TODO //!

Indicate how to index in tomcat (rather than built-in jetty support via start.jar).

To use the indexing examples in the Solr Tutorial, use the -Durl parameter, e.g.

External Resources

Troubleshooting Errors

It's possible that you get an error related to the following:

This is due to your tomcat instance not having the xalan jar file in the classpath. It took me some digging to find this, and thought it might be useful for others. The location varies from distribution to distribution, but I essentially just added (via a symlink) the jar file to the shared/lib directory under the tomcat directory.

Solr Tomcat Distributions

HDS - Heliosearch Distribution for Solr

Heliosearch Distribution for Solr contains a pre-configured Tomcat based Solr server that is open source and free to use.

Simply download and go:

Exploits & Vulnerabilities

This analysis of the Apache Tomcat vulnerability seeks to put the most feared Ghostcat-related scenario into perspective by delving into the unlikely circumstances that would make it possible to allow an RCE through the vulnerability.

Discussions surrounding the Ghostcat vulnerability (CVE-2020-1938 and CNVD-2020-10487) found in Apache Tomcat puts it in the spotlight as researchers looked into its security impact, specifically its potential use for remote code execution (RCE).

Apache Tomcat is a popular open-source Java servlet container, so the discovery of Ghostcat understandably set off some alarms. This blog entry seeks to put the most feared Ghostcat-related scenario into perspective by delving into the unlikely circumstances that would make it possible to allow an RCE through the vulnerability.

The AJP Protocol

Ghostcat was discovered on Feb. 20 by Chaitin Tech security researchers, who reported that the vulnerability exists in the Apache JServ Protocol (AJP). The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers.

In simple terms, this means that the HTTP Connector is exposed to clients, while the AJP is used internally between the webserver (e.g., Apache HTTPD) and the Apache Tomcat server (illustrated in Figure 1). AJP is implemented as a module in the Apache HTTP Server, represented as mod_jk or mod_proxy_ajp. The bottom line is that AJP is not, by nature, exposed externally. This is important to point out, as it's one of the prerequisites for the RCE scenario that we will discuss in the next section.

Figure 1. Apache JServ Protocol illustration

The Ghostcat Vulnerability

Ghostcat in itself is a Local File Include/Read vulnerability and not an Arbitrary File Upload/Write vulnerability. On the Apache Tomcat Security Advisory page, Ghostcat is described as 'AJP Request Injection and potential Remote Code Execution.' The keyword 'potential' serves to emphasize that Ghostcat is not an RCE vulnerability by default.

The advisory further detailed the circumstances necessary for an RCE to take place: The web application needs to allow file upload and storage of these uploaded files within the web application itself, or an attacker would have to gain control over the content of the web application somehow. This scenario, combined with the ability to process a file as a JSP (as made possible through the vulnerability), would make an RCE feasible.

In summary, Ghostcat can cause issues to organizations if they have Tomcat AJP Connector exposed externally, which is not a recommended configuration in the first place. However, aside from an exposed AJP, it would require several other prerequisites for an RCE to happen. These are requirements that, when combined, are hard to find in a real-world scenario.

João Matos, a well-known security researcher from Brazil, identified the prerequisites needed for Ghostcat to become an RCE.

Figure 2. Post identifying the prerequisites for an RCE to take place

We looked into these further, as elaborated below:

Upload files via an APP feature. This first prerequisite means that an application with a file upload feature should already be installed in the system for the RCE to be possible. If this is the case, it would be more convenient for a potential attacker to use the web application itself with a file upload vulnerability to upload a malicious web shell file. The need to interpret the file as JSP would only arise in cases where the upload vulnerability restricts certain file extensions such as JPG or TXT.

These files are saved inside the document root. Once an attacker has compromised the application and was able to upload the malicious file, the files would need to be saved inside the application root folder. This prerequisite by itself is unlikely or difficult to orchestrate for two reasons: 1) It is uncommon in Java applications to save files in its application root folder; and 2) the application root folder is transitory, so this folder is completely overwritten whenever a new version of the application is deployed. In addition, from a developer perspective, it makes little sense for a file upload feature to upload files inside the root folder since most of the Apache Tomcat applications are deployed as a .WAR file, which is basically a zip file.

Reach the AJP port directly. Lastly, after these two prerequisites are met, a potential attacker would have to be able to reach the Tomcat AJP Connector (default port 8009) directly from the internet through the reverse-proxy, which is an externally exposed AJP. As mentioned, this is not a recommended or common configuration. Even if the AJP Connector is exposed and an attacker tried to communicate with it, they would receive a 400 Bad Request response from the web server since AJP is a binary protocol.

How serious is Ghostcat?

What adds to the notoriety of Ghostcat is the fact that it has been around for over thirteen years and affects all major versions of Apache Tomcat. In this blog entry, we try to help manage the alarm brought about by the discovery of the vulnerability. Given all the requirements described above, it is unlikely for these requirements to happen in a real-world scenario that would turn Ghostcat into an RCE vulnerability. An attacker would need to actively make these requirements happen, as there is unlikely a legitimate reason for them to exist in a real-world setting.

Most PoCs demonstrating the issue already had a webshell.txt file inside the webapps/ROOT of the Apache Tomcat, thus enabling the RCE prior to exploiting Ghostcat. In a real-world scenario, an attacker already inside a network may be able to leverage this vulnerability to perform lateral movement because they would be able to reach the AJP Connector directly. However, for them to reach this stage of their attack, they would still need to upload a malicious file such as a webshell inside the webapps/folder to use the Ghostcat LFI vulnerability, and then force the file to be interpreted as JSP regardless of the extension, which would be difficult to do.

A Fix for Ghostcat

The fixes done by the Apache Tomcat team to address Ghostcat should also provide further clarity on its true limitations. In this section, we detail the fixes in the code from version 9.0.31, which mostly shares the same code with other versions.

Ghostcat relies on a misconfiguration (as seen below) of the AJP Connector where it is enabled by default on the /conf/server.xml file:

The Apache Tomcat team commented out this line from the file, thus disabling the AJP connector by default on the commit 4c933d8, as seen in figure 3.

Figure 3. Image showing Commit 4c933d8, which disables the AJP connector by default

On its own, the code fix above is enough to stop Ghostcat from happening since it disables AJP by default. This should only be done if the AJP is not being used.

We detail a second fix that does not necessarily disable AJP but limits it to only listen to the loopback interface by default (figure 4). The Apache Tomcat team made other changes to improve the overall usage of the AJP Protocol, such as enforcing a secret to be defined when the secretRequired attribute is set to true (figure 5). They also made sure that any requests to the AJP Connector that contains arbitrary and unrecognized attributes receive a 403 (Forbidden) response (figure 6).

Figure 4. Image showing Commit 0e8a50f0, which forces the AJP protocol to listen to the loopback address by default instead of 0.0.0.0.

Figure 5. Image showing Commit 9ac90532, which checks if the parameter secretRequired is set to 'true' and there is a defined 'secret'

Tomcat 8.5.63 Download

Figure 6. Image showing Commit 64fa5b99, which blocks requests to the AJP Connector with a 403 Forbidden message response if it contains any arbitrary and unrecognized attributes

Conclusion

Given all that has been discussed in this post, it is still important for users to recognize that Ghostcat still poses risks even if it's not an RCE by default. The fact that there are already many publicly available exploits for this vulnerability should push users to update their Tomcat to the latest version as soon as possible to reduce the risk of being exploited.

Apache Tomcat has released fixes for the following versions of Tomcat:

• Tomcat 7 (version 7.0.1000)
• Tomcat 8 (version 5.51)
• Tomcat 9 (version 0.31)

If updating is not an immediate option, users who are not using the AJP Connector Service should instead disable it by commenting or completely removing it from the $CATALINA_HOME/conf/server.xml and restarting Tomcat, similar to the actions taken by the Apache Tomcat team described above.

Aside from upgrading Tomcat to the latest version, if the AJP Connector service is being used, set the 'secret' attribute to defined AJP protocol authentication credentials as recommended by Chaitin, as set below:

address='::1'

port='8009'

redirectPort='8443'

secretRequired='true'

secret='YOUR_SECRET_HERE' />

Snyk also mentions that applications using the Spring Boot framework may also be affected by this vulnerability since they use an embedded version of Tomcat by default. Users of those applications should also look into this further, to make sure they are not affected by Ghostcat.

Trend Micro Solutions

Developers, programmers, and system administrators using Apache Tomcat can also consider multilayered security technology such as Trend Micro™ Deep Discovery™. These solutions provide in-depth analysis and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern updates. Trend Micro™ Deep Discovery Inspector™ protects customers from this attack via this DDI rule:

• Rule 4354 - CVE-2020-1938 - TOMCAT AJP LFI Exploit - TCP (Request)

Trend Micro^™ Deep Security^™ solution also protects systems from threats that may exploit CVE-2020-1938:

• 1010184 - Identified Apache JServ Protocol (AJP) Traffic CVE-2020-1938

Trend Micro™ TippingPoint® customers are protected from threats and attacks that may exploit Ghostcat via the following MainlineDV filter:

• 37236- AJP: Apache Tomcat AJP File Request