TOMCAT CVE-2020-1938: Ghostcat (AJP)

Julian_Halliwell February 23, 2020, 10:09am 4

We’re on Tomcat 9.x rather than 8.x, but having applied the patch the default settings is now to require a secret. That means you’ll need to set one both in server.xml and in your BonCode settings file:

Server.xml

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" maxThreads="300" packetSize="65536" secret="XXXX" />

BonCodeAJP13.settings

<RequestSecret>XXXX</RequestSecret>

1 Like