GhostCat High Risk Vulnerability

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

GhostCat High Risk Vulnerability

Benito J. Gonzalez-2
Hi folks,


This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.

Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg




--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/10DD0CCF-B27D-4698-A9BA-5C6CF4115269%40unicon.net.