The Apache Tomcat servers that have been released over the last thirteen years are vulnerable to a bug called “Ghostcat” that allows hackers to take over unpatched systems.
So first - how can I fix it?
Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
To do this correctly, you must determine if the Tomcat AJP Connector service is used in your server environment:
- If no cluster or reverse proxy is used, rest assured that AJP is not used.
- Otherwise, you’ll need to see if the cluster or the reverse server is communicating with the Tomcat AJP Connector service.
If the AJP Connector service is not used:
If the AJP Connector service is not used, you can fix the vulnerability by directly upgrading Tomcat to any of the following versions: 9.0.31, 8.5.51, or 7.0.100.
In case you can’t upgrade, you can choose to disable the AJP Connector directly, or change its listening address to the localhost.
1. Edit <CATALINA_BASE>/conf/server.xml，find the following line (<CATALINA_BASE> is the Tomcat work directory):
|<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />|
2. Comment out it (or just delete it):
|<!--<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->|
3. Save the edit, and then restart Tomcat.
In addition to the measures mentioned above, you can use firewalls to prevent untrusted sources from accessing the Tomcat AJP Connector service port.
If the AJP Connector service is in use:
If the AJP Connector service is in use, we recommend that you upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100, and then configure the “secret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:
|<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET" />|
Once again, if you can’t upgrade, configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials. For example:
|<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />|
Note that you must change the above “YOUR_TOMCAT_AJP_SECRET” to a safer value.
So what can Ghostcat do?
By exploiting of the Ghostcat vulnerability, an attacker will be able to read the contents of configuration files and source code files of all webapps deployed on Tomcat.
Furthermore, should the website application allow users upload file, an attacker will be able to first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which can finally result in RCE.
What versions of the Tomcat are affected?
- Apache Tomcat 9.x < 9.0.31
- Apache Tomcat 8.x < 8.5.51
- Apache Tomcat 7.x < 7.0.100
- Apache Tomcat 6.x
Under what circumstances can Tomcat be exploited?
If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of be exploited by the Ghostcat vulnerability.
It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.
Github is currently full of exploits
The Ghostcat vulnerability identifiers are CVE-2020-1938.
According to a BinaryEdge search, there are more than one million Tomcat servers currently available online.
Red Hat recommends disabling the AJP connector in Tomcat in case it’s not used, or binding it to localhost port. This is because most of AJP's use is in cluster environments and the 8009 port should never be exposed on the internet without strict access-control lists.
To learn more about how Vulcan can help you orchestrate remediation, speak with one of our experts