High-Risk Vulnerability Affects Servers Running Apache Tomcat

  • CERT Admin
  • Sun Mar 01 2020
  • Alerts

Systems Affected 

     ✻  Apache Tomcat all versions (9.x/8.x/7.x/6.x) 

Threat Level 

High 

Overview 

Vulnerability (CVE‐2020‐1938) called as 'Ghostcat' let unauthenticated, remote attackers to read any file on the vulnerable web server and could lead to obtaining sensitive configuration files or source code, or execute arbitrary code depending on the server configuration.

Description 

According to the cybersecurity company Chaitin Tech, the vulnerability resides in the AJP protocol of the Apache Tomcat software and it is due to improper handling of an attribute. The said protocol is responsible for Tomcat to communicate with apache webserver. AJP protocol comes with TCP port 8009 by default and it is bound to IP address 0.0.0.0 and can only be exploited remotely when accessible to untrusted clients. 

Impact 

    ✻  Execute arbitrary code
    ✻  Gain access to the sensitive configuration files in the server
    ✻  Taking control of the whole Tomcat Apache server 

Solution/ Workarounds 

    ✻  Update the Apache Tomcat to version to 9.0.31, 8.5.51, and 7.0.100
    ✻  Web administrators are strongly recommended to apply the software update as soon possible
    ✻  Never expose AJP port to untrusted clients
    ✻  If you are unable to update to the latest version disable the AJP connector directly or change the listening address to the localhost

References 

    ✻  https://thehackernews.com/2020/02/ghostcat-new-high-risk-vulnerability.html
    ✻  https://nvd.nist.gov/vuln/detail/CVE-2020-1938

Disclaimer 

The information provided herein is on "as is" basis, without warranty of any kind. 

Last updated: Sun Mar 01 2020