Dear Customer
A critical vulnerability has been found in Apache Tomcat. The vulnerability is also known as Ghostcat and identified as CVE-2020-1938.
The flaw found in Apache Tomcat AJP protocol allows attackers to include or read files in the webapp directory and even the remote code execution.
Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in different ways.
Technical Overview
CVE-2020-1938
In affected versions, file read/inclusion can be done exploiting the AJP connector in Apache Tomcat. The AJP protocol listens on TCP port 8009 and bound to all IPv4 addresses i.e., 0.0.0.0.
An unauthenticated/untrusted remote attacker can exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients. The attacker can also upload malicious JavaServer Pages (JSP) code within a variety of file types to gain remote code execution (RCE) for a poorly configured server allowing file uploads.
Affected Version:
It affects the version of Apache Tomcat 9 before 9.0.31, Tomcat 8 before 8.5.51, and Tomcat 7 before 7.0.100.
Mitigation:
The first step is to check if the AJP Connector is in use or not. If it’s not in use, disable it by commenting it out in your server.xml file as:
Block the port 8009 in your server firewall and allow it to be accessible from the specific Public/Private IP addresses from where its access is required.
Another recommend option is to set a secret password for the AJP conduit and requests only from workers with the same secret keyword will be accepted. At the Tomcat side, edit server.xml:
Note: Replace YOUR_AJP_SECRET with a value that is highly secure and cannot be easily guessed.
Fixed Versions:
9.0.31, 8.5.51, and 7.0.100
We at Ucartz always encourage our customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.
Official security advisories:
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938
https://www.chaitin.cn/en/ghostcat
https://access.redhat.com/security/cve/CVE-2020-1938
If you have any queries regarding the patching/updates on Ucartz Networks infrastructure, you may write an email to info@ucartz.com.
