Hi All,
Be aware that the tomcat that ships with CollectionSpace is affected by the Ghostcat vulnerability: https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
To ensure that your CollectionSpace server is not exploited:
- Make sure port 8009 is not accessible to the internet.
- If you're not using the tomcat AJP connector -- and you will likely know if you are using it -- disable it, as described here: https://www.chaitin.cn/en/ghostcat
- If you are using the AJP connector, set a requiredSecret, as described in the above link. Also consider using http/https for your reverse proxying/clustering, instead of AJP.
Thanks,
Ray
═
Ray Lee
CollectionSpace Senior Developer
LYRASIS
ray.lee@lyrasis.org
Hi All,
Be aware that the tomcat that ships with CollectionSpace is affected by the Ghostcat vulnerability: https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
To ensure that your CollectionSpace server is not exploited:
1. Make sure port 8009 is not accessible to the internet.
2. If you're not using the tomcat AJP connector -- and you will likely know if you are using it -- disable it, as described here: https://www.chaitin.cn/en/ghostcat
3. If you are using the AJP connector, set a requiredSecret, as described in the above link. Also consider using http/https for your reverse proxying/clustering, instead of AJP.
Thanks,
Ray
═
Ray Lee
CollectionSpace Senior Developer
LYRASIS
ray.lee@lyrasis.org