By Month

May 2026
Apr 2026
Feb 2025
Mar 2024
Sept 2023
Nov 2022
Jun 2022
Aug 2021
Sept 2020
Apr 2020
Older Announcements...
View RSS Feed

  By Month

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

A critical vulnerability has been found in Apache Tomcat

  • Tuesday, 3rd March, 2020
  • 16:41pm

Dear Customer

A critical vulnerability has been found in Apache Tomcat. The vulnerability is also known as Ghostcat and identified as CVE-2020-1938. 

The flaw found in Apache Tomcat AJP protocol allows attackers to include or read files in the webapp directory and even the remote code execution. 

Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in different ways.

Technical Overview

CVE-2020-1938

In affected versions, file read/inclusion can be done exploiting the AJP connector in Apache Tomcat. The AJP protocol listens on TCP port 8009 and bound to all IPv4 addresses i.e., 0.0.0.0.

 An unauthenticated/untrusted remote attacker can exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients. The attacker can also upload malicious JavaServer Pages (JSP) code within a variety of file types to gain remote code execution (RCE) for a poorly configured server allowing file uploads.

 Affected Version:

It affects the version of Apache Tomcat 9 before 9.0.31, Tomcat 8 before 8.5.51, and Tomcat 7 before 7.0.100.

Mitigation:

The first step is to check if the AJP Connector is in use or not. If it’s not in use, disable it by commenting it out in your server.xml file as:

 <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Block the port 8009 in your server firewall and allow it to be accessible from the specific Public/Private IP addresses from where its access is required. 

Another recommend option is to set a secret password for the AJP conduit and requests only from workers with the same secret keyword will be accepted. At the Tomcat side, edit server.xml:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_AJP_SECRET" />

 Note: Replace YOUR_AJP_SECRET with a value that is highly secure and cannot be easily guessed.

 Fixed Versions: 

9.0.31, 8.5.51, and 7.0.100

We at HostingInIndia always encourage our customers to pursue the best practices of security to keep their systems updated, protected and patched against recognized vulnerabilities.

Official security advisories:

https://nvd.nist.gov/vuln/detail/CVE-2020-1938

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938

 https://www.chaitin.cn/en/ghostcat

https://access.redhat.com/security/cve/CVE-2020-1938

All clients hosted with us for Java Hosting will be notified by Email with more details

 

« Back

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket