Document Properties
Kbid
293D38
Last Modified
02-Nov-2023
Added to KB
09-Mar-2020
Public Access
Everyone
Status
Online
Doc Type
Support Articles
Product
ICM 7.10
Support Article - Ghostcat Vulnerability

Introduction

The Ghostcat vulnerability described in https://nvd.nist.gov/vuln/detail/CVE-2020-1938 is based on the Apache JServ Protocol (AJP), which is enabled by default in Apache Tomcat directly obtained from Apache http://tomcat.apache.org/.

Intershop uses the Apache Tomcat as Application Server, but the default configuration shipped with Intershop 7 does not use the Apache JServ Protocol (AJP). Therefore, Intershop's Application Server is not affected by the Ghostcat vulnerability.

Please see the following Q&A section for details.

References

Frequently Asked Questions

Q: Is Intershop 7 affected by the Ghostcat vulnerability?

A: No, to exploit the Ghostcat vulnerability, the Apache JServ Protocol (AJP) must be enabled. In the default configuration shipped with Intershop 7, the Apache JServ Protocol (AJP) is disabled. Therefore, Intershop 7 is not affected by the Ghostcat vulnerability.


Q: When using Apache JServ Protocol (AJP) additionally to the default configuration, is Intershop 7 vulnerable now?

A: Even if AJP is used in custom projects, the vulnerability cannot be exploited as the Apache Tomcat is not used as front end (nor back end) service. Rather, the Webadapter extension of Apache Webserver is doing the “front-end/back-end” work. That means the Tomcat is not accessible via the internet and cannot be reached to exploit the vulnerability.


Q: Can I update the Apache Tomcat in Intershop 7 to a version that fixes the Ghostcat vulnerability?

A: Intershop 7 uses an extended version of Apache Tomcat. So, it is not possible to update the Tomcat directly.


Q: When will Intershop provide an Apache Tomcat version that fixes the Ghostcat vulnerability?

A: Intershop will not update the Tomcat for Intershop 7.10 and below, as long there are no security issues found, which are related to Intershop setup. Starting with Intershop 7.11 the Tomcat version will be updated. Additionally, the extension of the special Intershop Tomcat version will be removed to increase the compatibility and upgradability significantly.


Disclaimer
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
The Intershop Knowledge Portal uses only technically necessary cookies. We do not track visitors or have visitors tracked by 3rd parties. Please find further information on privacy in the Intershop Privacy Policy and Legal Notice.
Home
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to supportadmin@intershop.de if you experience login issues,
or if you want to register as customer.