
Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years - LinuxBender
https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
======
keeganwitt
The Spring Boot comment should be elaborated on (I was surprised Spring guys
didn't write anything about it in their blog). This is off by default, but you
could be vulnerable if you configured it to be on (I'd look for a bean
definition of `EmbeddedServletContainerFactory` that adds a connector with
`new Connector("AJP/1.3")`). If that's the case, you can either upgrade Spring
Boot to pull in an updated Tomcat, or override the Tomcat version with the
`tomcat.version` property.

------
reader_1000
Exposing an application server to the internet is not a good idea. It is
always better to have a simple proxy that has absolute minimum set of software
installed on it and let it to handle the requests coming from internet and
forward them to the application server. With this kind of deployment, your
attack surface will be much less and you will be protected from the bugs
described in the article.

------
benaadams
> According to Snyk, apps built on the Spring Boot Java framework are also
> vulnerable since they come with a pre-included Tomcat server. Per Red Hat,
> Tomcat also ships with other Java-based frameworks and servers, such as
> JBossWeb and JBoss EAP.

