Subject: Apache Tomcat Security Vulnerability Notice


Hi Kylin users,

On February 20, China National Vulnerability Database (CNVD) published a
severe vulnerability in Apache Tomcat’s Apache JServ Protocol (or AJP). For
Apache Kylin uses Tomcat as the web container and tomcat 7.0.91 is packaged
in Kylin's release package, Kylin also has this security issue.

I strongly recommend you take one of the two solutions below for your Kylin
servers to avoid this security issue:

   1. Download and install Tomcat 7.0.100 in Kylin
   2. Simply comment it out from the $KYLIN_HOME/tomcat/conf/server.xml
   file, find comment the following configuration (the specific port may be
   different according to the initial configuration, the protocol is confirmed
   as protocol="AJP/1.3")

<Connector port="9009" protocol="AJP/1.3" redirectPort="9443" />

Then restart your Kylin instances.

We'll upgrade the packed Tomcat in Kylin's next releases.

---------------------

Best regards,

Ni Chunen / George