Ghostcat is a high-risk file read / include vulnerability in Tomcat

【 CVE-2020-1938 】

Introduction

Java is currently the most popular programming language in Web development, and Tomcat is one of the most popular Java middleware servers. It has been used for more than 20 years since its initial release.

Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

Q & A

Why is this vulnerability called Ghostcat ?

This vulnerability affects all versions of Tomcat in the default configuration (when we found this vulnerability, it was confirmed that it affected all versions of Tomcat 9/8/7/6, and older versions that were too old were not verified), which means that it has been dormant in Tomcat for more than a decade.

What is Tomcat AJP Connector?

Tomcat Connector is the channel for Tomcat to connect to the outside. It enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector:

HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080

AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

HTTP Connector is used to provide HTTP Web services that we often use. The AJP Connector uses the AJP protocol (Apache Jserv Protocol). The AJP protocol can be understood as a performance optimized version of the HTTP protocol in binary format. It can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering or reverse proxy.

What can Ghostcat do ?

By exploiting the Ghostcat vulnerability, an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat.

In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution.

What versions of the Tomcat are affected ?

Apache Tomcat 9.x < 9.0.31

Apache Tomcat 8.x < 8.5.51

Apache Tomcat 7.x < 7.0.100

Apache Tomcat 6.x

Under what circumstances can Tomcat be exploited ?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability.

It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.

How can I fix it ?

Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.

To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:

- If no cluster or reverse proxy is used, you can basically determine that AJP is not used.

- Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.

1. If the AJP Connector service is not used:

If the AJP Connector service is not used, you can directly upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100 for vulnerability fix.

If you can’t do upgrade, you can choose to disable the AJP Connector directly, or change its listening address to the localhost.

Steps:

(1)Edit <CATALINA_BASE>/conf/server.xml,find the following line (<CATALINA_BASE> is the Tomcat work directory):

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

(2)Comment out it (or just delete it):

<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->

(3)Save the edit, and then restart Tomcat.

In addition to the above measures, of course, you can also use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.

2. If the AJP Connector service is in use:

If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET" />

If you can’t do upgrade, you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />

(Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value that cannot be easily guessed or cracked.)

Online Detection

Submit

Detection Tool

Utilize xray community vulnerability scanner from Chaitin Tech to detect Ghostcat Vulnerability.

Download Detection Tool

Emergency Services

If you need emergency treatment, please contact us.

Tel: 027-59760362

Timeline

2020/01/03:Chaitin Tech reported the vulnerability to Apache Tomcat official

2020/02/11:Apache Tomcat released 9.0.31 and 8.5.51 version to fix the vulnerability

2020/02/14:Apache Tomcat released 7.0.100 version to fix the vulnerability

2020/02/20:CNVD released security notice

2020/02/20:Chaitin Tech released security notice