A critical vulnerability named Ghostcat was recently discovered in Apache Tomcat Servers. Apache Tomcat is a software used to deploy Java Servlets and JSPs. This vulnerability resides in Tomcat for more than a decade now.
Ghostcat, tracked as CVE-2020-1938, was discovered in Tomcat AJP protocol by researchers at Chaitin Tech. Tomcat AJP is configured with two connectors: HTTP Connector and AJP Connector. Tomcat AJP protocol connector is a component that communicates with a web connector via the AJP protocol.
This flaw allows attackers to read or include any files in the web application directories of Tomcat. The impact is known to be much severe in cases where the application allows the uploading of files. An attacker can upload a malicious file, and then include it using the Ghostcat vulnerability. This could result in the execution of malicious code.
A number of researchers have published proofs-of-concept(1, 2, 3, 4, 5) for CVE-2020-1938. The figure below shows the disclosure of data present in the web.xml file on a vulnerable Apache Tomcat Server.
Apache Tomcat version 6.x, 7.x before 7.0.100, 8.x before 8.5.51 and 9.x before 9.0.31.
The default configuration on Apache Tomcat is known to be vulnerable. Specifically, Ghostcat vulnerability can be exploited when the AJP Connector is enabled and this allows access to the AJP Connector service port. The AJP Connector is enabled by default and listens on port 8009.
How to check if the AJP connector is used in the server environment?
1) Check if any cluster or reverse proxy is used.
2) Also, check if the cluster or reverse server is communicating with the Tomcat AJP Connector service.
If either is true, then the AJP connector is in use.
An attacker can execute malicious code and also read sensitive information from the configuration files and source code files of all web applications which run on Tomcat.
Apache has released fixes for this vulnerability in Tomcat.
If the AJP connector service is not in use:
If the AJP connector is not being used in the application, then the vulnerability can be fixed by directly upgrading Apache Tomcat to version 7.0.100, 8.5.51, or 9.0.31.
In case the upgrade cannot be handled, Chaitin advises following the steps below to disable the AJP Connector directly, or changing its listening address to the localhost:
1. Edit <CATALINA_BASE>/conf/server.xml?, find the following line (<CATALINA_BASE> is the Tomcat work directory):
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />
2. Comment it out(or just delete it):
<!–<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />–>
3. Save the edit, and then restart Tomcat.
It is also recommended to use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.
If the AJP connector service is in use:
If the AJP connector service is in use, then it is recommended to follow the steps below:
1. Upgrade Tomcat to version 7.0.100, 8.5.51, or 9.0.31, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials.
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” secret=”YOUR_TOMCAT_AJP_SECRET” />
2. If upgrade is not possible, it is recommended to configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials.
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” requiredSecret=”YOUR_TOMCAT_AJP_SECRET” />