On January 3, 2020 researchers at Chinese security firm Chaitin Tech responsibly disclosed a critical vulnerability in Apache Tomcat’s Apache JServ Protocol (AJP). AJP improves performance by proxying inbound requests from a web server to an application server. The flaw, named Ghostcat, has been assigned CVE-2020-1938. The Apache Foundation disclosed the vulnerability and released patches on February 20, 2020. Proof of concept code already exists.
Tomcat is a popular set of extensions to the Apache webserver. While most frequently associated with Linux, Apache and Tomcat can run on Windows servers.
The vulnerabilities can allow a remote unauthenticated attacker to do various things, ranging from theft of API keys to the full takeover of the host machine.
The vulnerabilities can allow theft of API keys, access to configuration files, uploading unauthorized files to the webserver root, remote code execution, and in extreme cases, complete takeover of the host machine.
The impact varies depending on the configuration of the server. The most extreme impact exists in servers that permit users to upload files.
The flaw does not require authentication in order to be exploited, making it especially critical on external servers.
A Proof Of Concept (POC) exploit has already been released for this vulnerability making it much easier for attackers to begin utilizing the vulnerability. In addition, scans for the vulnerability have already been detected.
All versions of Apache Tomcat dating from Version 6, first released in 2007, are affected. Tomcat 6 is end-of-life, so only versions 7 onward can be patched. These include:
- 9.0.30 and below
- 8.5.50 and below
- 7.0.99 and below
Managing and Mitigation Risk
Update to 9.0.31, 8.5.51, 7.0.100 or another version recommended by your specific vendor containing a back-ported patch. All major Linux vendors have released advisories and official patches.
Other possible mitigations are to disable Tomcat’s AJP Connector if you are certain your site isn’t using that functionality, or add the “requiredSecret” attribute to your /conf/server.xml configuration file. This attribute is akin to a password so it must be unique to be secure.
Without a deep understanding of the affected web application on the server, applying an update is likely to be faster, easier and less risky than changing the configuration file in this case.
Tenable has released plugins 701269 and 133845 to detect Ghost Cat.
Qualys has released QID 87413.
Deepwatch Identify customers are advised to reach out to your Vulnerability Management Subject Matter Expert in order to get a list of assets that have been discovered in your environment that could be impacted by Ghost Cat.
Dave Farquhar, Vulnerability Management SME
Kate Boucher, Vulnerability Management SME
Britton Grim, Vulnerability Management SME