Document Tree
Document Properties
Last Modified
Added to KB
Public Access
Doc Type
Support Articles
ICM 7.10
Support Article - Ghostcat Vulnerability


The Ghostcat vulnerability described in is based on the Apache JServ Protocol (AJP), which is enabled by default in Apache Tomcat directly obtained from Apache

Intershop uses the Apache Tomcat as Application Server, but the default configuration shipped with Intershop 7 does not use the Apache JServ Protocol (AJP). Therefore, Intershop's Application Server is not affected by the Ghostcat vulnerability.

Please see the following Q&A section for details.


Frequently Asked Questions

Q: Is Intershop 7 affected by the Ghostcat vulnerability?

A: No, to exploit the Ghostcat vulnerability, the Apache JServ Protocol (AJP) must be enabled. In the default configuration shipped with Intershop 7, the Apache JServ Protocol (AJP) is disabled. Therefore, Intershop 7 is not affected by the Ghostcat vulnerability.

Q: When using Apache JServ Protocol (AJP) additionally to the default configuration, is Intershop 7 vulnerable now?

A: Even if AJP is used in custom projects, the vulnerability cannot be exploited as the Apache Tomcat is not used as front end (nor back end) service. Rather, the Webadapter extension of Apache Webserver is doing the “front-end/back-end” work. That means the Tomcat is not accessible via the internet and cannot be reached to exploit the vulnerability.

Q: Can I update the Apache Tomcat in Intershop 7 to a version that fixes the Ghostcat vulnerability?

A: Intershop 7 uses an extended version of Apache Tomcat. So, it is not possible to update the Tomcat directly.

Q: When will Intershop provide an Apache Tomcat version that fixes the Ghostcat vulnerability?

A: Intershop will not update the Tomcat for Intershop 7.10 and below, as long there are no security issues found, which are related to Intershop setup. Starting with Intershop 11 the Tomcat version will be updated. Additionally, the extension of the special Intershop Tomcat version will be removed to increase the compatibility and upgradability significantly.

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
The Intershop Knowledge Portal uses only technically necessary cookies. We do not track visitors or have visitors tracked by 3rd parties. Please find further information on privacy in the Intershop Privacy Policy and Legal Notice.
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to if you experience login issues,
or if you want to register as customer.