How to secure TIBCO API Exchange Gateway's embedded Apache TOMCAT server from 'GhostCat' vulnerability issue (CVE-2020-1938)
Article ID: KB0074857
Updated On:
| Products | Versions |
|---|---|
| TIBCO API Exchange | 2.2.x, 2.3.x |
Description
A vulnerability (CVE-2020-1938) has been identified on Apache Tomcat, named “GhostCat”, which is a flaw in the Tomcat AJP protocol. In order for an attacker to exploit the vulnerability of GhostCat, the AJP Connector must be activated and the attacker must have access to the AJP Connector service port.
Issue/Introduction
How to secure TIBCO API Exchange Gateway's embedded Apache TOMCAT server from 'GhostCat' vulnerability issue (CVE-2020-1938)
Resolution
TIBCO API Exchange Gateway does not need Apache Tomcat AJP Connector, so this Connector can be safely disabled without any functionality impact.
To disable the Apache Tomcat® AJP Connector follow these steps:
1. Open <APIX_CONFIG_HOME>/asg.properties in a Text editor
2. Comment out the following line e.g.
Old Entry:
be.channel.external.config.file=<Path to asg_oauth_channel.properties>
New Entry:
# be.channel.external.config.file=<Path to asg_oauth_channel.properties>
3. Save <APIX_CONFIG_HOME>/asg.properties file
4. Restart API Exchange Instance(s)
Note: The above steps must be done irrespective of whether you have enabled or disabled OAuth functionality in your TIBCO API Exchange Gateway.
To disable the Apache Tomcat® AJP Connector follow these steps:
1. Open <APIX_CONFIG_HOME>/asg.properties in a Text editor
2. Comment out the following line e.g.
Old Entry:
be.channel.external.config.file=<Path to asg_oauth_channel.properties>
New Entry:
# be.channel.external.config.file=<Path to asg_oauth_channel.properties>
3. Save <APIX_CONFIG_HOME>/asg.properties file
4. Restart API Exchange Instance(s)
Note: The above steps must be done irrespective of whether you have enabled or disabled OAuth functionality in your TIBCO API Exchange Gateway.
Feedback
Yes
No
Powered by
