Apache Tomcat version older than 7.0.21
Description
Apache Tomcat versions 7.0.0 through 7.0.20 contain a critical vulnerability in the Apache JServ Protocol (AJP) connector that allows attackers to manipulate request processing. When Tomcat receives AJP messages containing request bodies from reverse proxies, it may incorrectly interpret subsequent unsolicited AJP messages as new requests rather than continuation data. This protocol confusion enables attackers with control over AJP message content to inject malicious requests, bypassing authentication mechanisms and accessing sensitive information. This vulnerability is tracked as CVE-2011-3190.
Affected versions: Apache Tomcat 7.0.0 through 7.0.20
Remediation
Immediately upgrade Apache Tomcat to version 7.0.21 or later to remediate this vulnerability. Follow these steps:
1. Backup your current installation: Create backups of your Tomcat configuration files, web applications, and data directories before proceeding.
2. Download and install the latest version: Obtain Apache Tomcat 7.0.21 or newer from the official Apache Tomcat website (https://tomcat.apache.org/).
3. Secure the AJP connector: If you must use AJP, ensure it is only accessible from trusted reverse proxy servers by binding it to localhost or using firewall rules:
<Connector port="8009" protocol="AJP/1.3"
address="127.0.0.1"
secretRequired="true" secret="your-secret-key" />4. Disable AJP if not needed: If you are not using a reverse proxy with AJP, comment out or remove the AJP connector from
server.xml.5. Verify the upgrade: After upgrading, confirm the version by checking the Tomcat logs or accessing the server status page to ensure version 7.0.21 or later is running.