Check open AJP ports (Ghostcat vulnerability)

To prevent unauthorized access, check that the AJP ports of your ARIS installations are only accessible from networks from which users access ARIS.

Procedure

  1. Start ARIS Cloud Controller (ACC).
  2. To check ports used by runnables, enter: show node

    The list is displayed. Navigate to the Known used ports section.

    Port Runnable Port Parameter

    443 loadbalancer_m HTTPD.ssl.port Set explicitly

    1080 loadbalancer_m HTTPD.port Set explicitly

    14200 cloudsearch_m zookeeper.application.instance.port Set explicitly

    14201 cloudsearch_m JAVA-DCSHTTPPORT Set explicitly

    14206 cloudsearch_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14220 elastic_m ELASTICSEARCH.http.port Set explicitly

    14226 elastic_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14230* elastic_m ELASTICSEARCH.transport.tcp.port Set explicitly

    14240 postgres_m postgresql.port Set explicitly

    14250 cdf_m connector.http.port Set explicitly

    14251 cdf_m connector.ajp.port Set explicitly

    14256 cdf_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14281 zoo_m clientPort DEFAULT

    14296 zoo_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14400 abs_m connector.http.port Set explicitly

    14401 abs_m connector.ajp.port Set explicitly

    14406 abs_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14410 adsadmin_m connector.http.port Set explicitly

    14411 adsadmin_m connector.ajp.port Set explicitly

    14416 adsadmin_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14420 apg_m connector.http.port Set explicitly

    14421 apg_m connector.ajp.port Set explicitly

    14426 apg_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14430 copernicus_m connector.http.port Set explicitly

    14431 copernicus_m connector.ajp.port Set explicitly

    14436 copernicus_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14440 ecp_m connector.http.port Set explicitly

    14441 ecp_m connector.ajp.port Set explicitly

    14446 ecp_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14450 hds_m connector.http.port Set explicitly

    14451 hds_m connector.ajp.port Set explicitly

    14456 hds_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14460 octopus_m connector.http.port Set explicitly

    14461 octopus_m connector.ajp.port Set explicitly

    14466 octopus_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14470 simulation_m connector.http.port Set explicitly

    14471 simulation_m connector.ajp.port Set explicitly

    14476 simulation_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14480 umcadmin_m connector.http.port Set explicitly

    14481 umcadmin_m connector.ajp.port Set explicitly

    14486 umcadmin_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14490 dashboarding_m connector.http.port Set explicitly

    14491 dashboardging_m connector.ajp.port Set explicitly

    14496 dashboarding_m JAVA-Dcom.sun.management.jmxremote.port Set explicitly

    14497 dashboarding_m JAVA-Xrunjdwp\:transport Set explicitly

    The highlighted connector.ajp.port Port parameter indicates all open AJP ports.

  3. If any of these ports are accessible from an external network, you must block access immediately by your firewall.

You have secured the system.

Important: If your ARIS system is a multiple node installation, the AJP ports must remain open for data transfer between multiple nodes. These open AJP ports do not represent a security gap, because distributed ARIS installations must always be protected by a firewall.