Tomcat is the widely used application server designed to execute Java servlets and render web pages using JavaServer Pages script.

The Ghostcat is a serious flaw with the Apache-Tomcat server discovered by security researcher Chaitin Tech. It affects all the versions of Tomcat with the default configuration.


The flaw resides in the Tomcat AJP connector which is the channel used by Tomcat to receives the request from outside. The connector enabled in Apache/Tomcat server via port 8009.

By exploiting the vulnerability attacker can read or include any files in the webapp directories of Tomcat.

The attacker can read the source code files of the web application and if the web application has an upload function, the attacker may execute malicious code.

If the AJP connector is enabled in the server, then there is a risk of being exploited by the Ghostcat vulnerability.

To note the AJP Connector is enabled by default and listens at port 8009. AJP protocol is used as a performance-optimized version of the HTTP protocol.

If you are not using AJP Connector it is recommended to safely comment out or delete the declaration from the server.xml configuration file.

Vulnerabilities Fixed with Following versions

  • Apache Tomcat 9.x < 9.0.31
  • Apache Tomcat 8.x < 8.5.51
  • Apache Tomcat 7.x < 7.0.100
  • Apache Tomcat 6.x

Here you can find Chaitin Tech blog post details about upgrading and how to configure “secret” attribute with the AJP Connector.

You can find the online vulnerability scanning tool here.

Follow on Twitter for Daily cyber security & hacking news updates: Cyber Security News

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.