Get a demo
Voyager18 (research)

What is the Ghostcat Vulnerability (CVE-2020-1938)?

Derek Hays | March 03, 2020

The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “Ghostcat (CVE-2020-1938) that allows hackers to take over unpatched systems. 

Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol.

So first – how can I fix the Ghostcat Vulnerability?

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability. 

To do this correctly, you must determine if the Tomcat AJP Connector service is used in your server environment: 

  • If no cluster or reverse proxy is used, rest assured that AJP is not used.
  • Otherwise, you’ll need to see if the cluster or the reverse server is communicating with the Tomcat AJP Connector service.

If the AJP Connector service is not used: 

If the AJP Connector service is not used, you can fix the vulnerability by directly upgrading Tomcat to any of the following versions: 9.0.31, 8.5.51, or 7.0.100. 

In case you can’t upgrade, you can choose to disable the AJP Connector directly, or change its listening address to the localhost. 

Steps: 

1. Edit <CATALINA_BASE>/conf/server.xml,find the following line (<CATALINA_BASE> is the Tomcat work directory):

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ /> 

 

2. Comment out it (or just delete it):

<!–<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />–> 

 

3. Save the edit, and then restart Tomcat.

In addition to the measures mentioned above, you can use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port. 

If the AJP Connector service is in use: 

If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example: 

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” secret=”YOUR_TOMCAT_AJP_SECRET” /> 

 

Once again, if you can’t upgradeconfigure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example: 

<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” requiredSecret=”YOUR_TOMCAT_AJP_SECRET” /> 

 

Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value. 

What can Ghostcat do?

By exploiting of the Ghostcat vulnerability, an attacker will be able to read the contents of configuration files and source code files of all webapps deployed on Tomcat. 

Furthermore, should the website application allow users upload file, an attacker will be able to first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability (CVE-2020-1938), which can finally result in RCE.

What versions of Tomcat are affected?

  • Apache Tomcat 9.x < 9.0.31 
  • Apache Tomcat 8.x < 8.5.51 
  • Apache Tomcat 7.x < 7.0.100 
  • Apache Tomcat 6.x 

Under what circumstances can Tomcat be exploited?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability. 

It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009. 

Github is currently full of exploits

The Ghostcat vulnerability identifiers are CVE-2020-1938. 

According to a BinaryEdge search, there are more than one million Tomcat servers currently available online. 

Red Hat recommends disabling the AJP connector in Tomcat in case it’s not used, or binding it to localhost port. This is because most of AJP’s use is in cluster environments and the 8009 port should never be exposed on the internet without strict access-control lists. 

To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts 

Sources:

 

Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy

strip-img-2.png

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management