Tomcat AJP vulnerability and Razuna

Tomcat AJP vulnerability and Razuna

We got notified that there is an AJP security vulnerability with all Apache Tomcat releases. The issue is discussed as CVE-2929-1938. A remote, unauthenticated/untrusted attacker could exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients.

That said, the default Tomcat instance that is included in our Razuna download has the AJP connector disabled by default. Also, all customers of our dedicated Razuna servers, are already protected!

However, if you installed Razuna on your customer Tomcat installation, please make sure to disable the AJP connector in the server.xml file that can be found in the tomcat/config folder.