CVE-2020-1938 Ghostcat

UPDATE (4/28/2020): Cascade CMS 8.15 contains an updated version of Tomcat that addresses this vulnerability. The information below can still be useful for organizations that have not had a chance to upgrade to Cascade CMS 8.15+ yet or that happen to be proxying with Apache, Nginx, etc. (and need to configure the AJP Connector accordingly).

By default, all versions of Tomcat (which come bundled with Cascade CMS) contain an AJP Connector which is configured to listen on port 8009 across all IP addresses. With the recent discovery of CVE-2020-1938, Hannon Hill recommends taking the following action(s) to ensure that your organization's CMS instance remains secure.

If you are using the bundled instance of Tomcat only to run Cascade CMS (not proxying with Apache, Nginx, etc.)

For standard installations of Cascade CMS which only rely on Tomcat and are not configured with a proxy server, we recommend taking the following action:

  • Stop Cascade CMS.
  • Edit the tomcat/conf/server.xml file.
  • Locate the AJP Connector (around lines 116-117).

  • Disable the AJP Connector by commenting it out. Example:

     <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
  • Start Cascade CMS.

If you are using the HTTP Connector to proxy with Apache, Nginx, etc.

Organizations using the HTTP Connector (or some other method not using AJP ) to proxy should be sure to disable the AJP Connector using the same steps listed above.

If you are using the AJP Connector to proxy with Apache, Nginx, etc.

For installations of Cascade CMS where the application is being accessed through a proxy that is configured via AJP, we recommend taking the following action(s):

  • Ensure that your organization's firewall is configured such that port 8009 (the default AJP port) is not exposed to the internet. Instead, this port should only be accessible to the local machine (if the proxy is on the local machine) or to the IP address of the proxy.

  • Modify the AJP Connector to explicitly listen on a single IP address. This can be done by adding an address attribute to the AJP Connector in the tomcat/conf/server.xml file. Example:

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1"/>

In the sample above, the AJP Connector will listen on port 8009 only for the localhost IP of 127.0.0.1 .

Cascade Cloud customers

Organizations using Cascade Cloud (hosted by Hannon Hill) are not exposed to this vulnerability. No changes are necessary.