The Ghostcat vulnerability identifiers are CVE-2020-1938. It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009. If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability. Under what circumstances can Tomcat be exploited?
#Apache tomcat 9.0 31 code#
What can Ghostcat do?īy exploit ing of the Ghostcat vulnerability, an attacker will be able to read the contents of configuration files and source code files of all webapps deployed on Tomcat.įurthermore, should the website application allow users upload file, an attacker will be able to first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability (CVE-2020-1938), which can finally result in RCE. Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value. Once again, i f you can’t upgrade, configure the “ requiredSecret ” attribute for the AJP Connector to set AJP protocol authentication credentials.
#Apache tomcat 9.0 31 upgrade#
If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. In addition to the measures mentioned above, you can use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port. Edit /conf/ server.xml,find the following line ( is the Tomcat work directory): Ģ. In case you can’t upgrade, you can choose to disable the AJP Connector directly, or change its listening address to the localhost.ġ. If the AJP Connector service is not used, you can fix the vulnerability by directly upgrad ing Tomcat to any of the following version s: 9.0.31, 8.5.51, or 7.0.100. If the AJP Connector service is not used: Otherwise, you ’ll need to see if the cluster or the reverse server is communicating with the Tomcat AJP Connector service.If no cluster or reverse proxy is used, rest assured that AJP is not used.To do this correctly, you must determine if the Tomcat AJP Connector service is used in your server environment: So first - how can I fix the Ghostcat Vulnerability?Īpache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability. The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug known as “ Ghostcat ” (CVE-2020-1938) that allow s hackers to take over unpatched systems.ĭiscovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol.
0 kommentar(er)
