Recently, a new vulnerability on Apache Tomcat AJP connector was disclosed.

The flaw was discovered by a security researcher of Chaitin Tech [1] and allows a remote attacker to read any webapps files or include a file.

The AJP Connector

The AJP Connector [3] is generally used to manage (internal) requests, usually on port 8009, coming for example from an Apache HTTP Server.
The vulnerability (CVE-2020-1938) could be remotely exploited if port 8009 is publicly exposed.

defaultAccording to a tweet by Joao Matos [2], the vulnerability is not a default RCE (Remote Command Execution), but a LFI (Local File Inclusion) that can be turner in RCE:

CVE-2020-1938 is NOT a default Remote Code Execution vul. It is a LFI. So, IF you can:
1) upload files via an APP feature &
2) these files are saved inside the document root (eg. webapps/APP/… &
3) reach the AJP port directly;
Thus, it can be turned in RCE.

PoC and Detection tool

A Proof-of-Concept for the vulnerability has been realeased on Github [3], without any additional details.

Furthermore, researcher also published an "online detection tool" [1] useful to remotely check vulnerability.

Which Tomcat versions are affected?

  • Tomcat 6 (no longer maintained)
  • Tomcat 7.x < 7.0.100
  • Tomcat 8.x < 8.5.51
  • Tomcat 9.x < 9.0.31

Is there a fix?

Apache Tomcat has officially released versions 9.0.31 [4], 8.5.51 [5], and 7.0.100 [6] to fix this vulnerability.

To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:
- If no cluster or reverse proxy is used, you can basically determine that AJP is not used.
- Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.

For additional details about fixing, please refer to the advisory [1].

As usual, update ASAP (and check port 8009 exposure)!


  1. CVE-2020-1938: Ghostcat vulnerability
  3. Apache Tomcat 8 Configuration Reference (8.0.53) - The AJP Connector