Ghostcat (CVE-2020-1938), a brand-new file inclusion vulnerability in Apache Tomcat
Recently, a new vulnerability on Apache Tomcat AJP connector was disclosed.
The flaw was discovered by a security researcher of Chaitin Tech [1] and allows a remote attacker to read any webapps files or include a file.
The AJP Connector
The AJP Connector [3] is generally used to manage (internal) requests, usually on port 8009, coming for example from an Apache HTTP Server.
The vulnerability (CVE-2020-1938) could be remotely exploited if port 8009 is publicly exposed.
defaultAccording to a tweet by Joao Matos [2], the vulnerability is not a default RCE (Remote Command Execution), but a LFI (Local File Inclusion) that can be turner in RCE:
CVE-2020-1938 is NOT a default Remote Code Execution vul. It is a LFI. So, IF you can:
1) upload files via an APP feature &
2) these files are saved inside the document root (eg. webapps/APP/… &
3) reach the AJP port directly;
Thus, it can be turned in RCE.
PoC and Detection tool
A Proof-of-Concept for the vulnerability has been realeased on Github [3], without any additional details.
Furthermore, researcher also published an "online detection tool" [1] useful to remotely check vulnerability.
Which Tomcat versions are affected?
- Tomcat 6 (no longer maintained)
- Tomcat 7.x < 7.0.100
- Tomcat 8.x < 8.5.51
- Tomcat 9.x < 9.0.31
Is there a fix?
Apache Tomcat has officially released versions 9.0.31 [4], 8.5.51 [5], and 7.0.100 [6] to fix this vulnerability.
To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:
- If no cluster or reverse proxy is used, you can basically determine that AJP is not used.
- Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.
For additional details about fixing, please refer to the advisory [1].
As usual, update ASAP (and check port 8009 exposure)!
References
- CVE-2020-1938: Ghostcat vulnerability
- https://twitter.com/joaomatosf/status/1230895566688792576
- Apache Tomcat 8 Configuration Reference (8.0.53) - The AJP Connector
- http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.31_(markt)
- http://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.51_(markt)
- http://tomcat.apache.org/tomcat-7.0-doc/changelog.html#Tomcat_7.0.100_(violetagg)