пн, 5 апр. 2021 г. в 21:59, James H. H. Lampert <jam...@touchtonecorp.com>: > > We've just gotten a complaint about a vulnerability involving AJP (to > something called "Ghostcat") from a customer. The report from the > security consultant recommends updating to a more recent version of > Tomcat, and I note that we've already started rolling out 7.0.108 to > customers. > > Looking at server.xml, the only reference to AJP is in relation to port > 8009, and that this connector is commented out in 108, but not in 93. > > So what exactly *is* this connector, and what purpose does it serve?
A well-configured instance of Apache Tomcat should serve requests either over "http:"/"https:" or over "ajp:", but not both. The clients for http: protocol are web browsers. The clients for AJP protocol are web servers (proxies). See also https://tomcat.apache.org/connectors-doc/ https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors https://en.wikipedia.org/wiki/Apache_JServ_Protocol Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org