The web servers running on Apache Tomcat are vulnerable to a new high-severity (CVSS 9.8) ‘file read and inclusion bug’ that can be exploited in the default configuration.
Those users who are using Apache Tomcat must immediately install the latest available version of the server application to prevent hackers from taking unauthorized control over it.
All versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 are found to be vulnerable.
It is of main concern as there are numerous proof-of-concept exploits of this vulnerability available on the Internet that makes it easy for anyone to hack into publicly accessible vulnerable web servers.
The vulnerability which has been dubbed ‘Ghostcat’ and tracked as CVE-2020-1938 could let unauthenticated, remote attackers read the content of any file on a vulnerable web server and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload.
Ghostcat Flaw and its working
Chinese cybersecurity company Chaitin Tech states that the vulnerability resides in the AJP protocol of Apache Tomcat software that arises due to improper handling of an attribute.
According to the researchers, if the site allows users upload a file, an attacker can first upload a file that has malicious JSP script code to the server. It can be of any file type like images, plain text etc. They then include the uploaded file by exploiting the Ghostcat, that ultimately leads to remote code execution.
Apache JServ Protocol (AJP) protocol is an optimized version of the HTTP protocol to let Tomcat to communicate with an Apache web-server.
The AJP protocol is enabled by default and listens at TCP port 8009, but it is bound to IP address 0.0.0.0 and can only be exploited remotely when accessible to untrusted clients.
As per ‘onyphe,’ a search engine for open-source and cyber threat intelligence data, there are more than 170,000 devices that exposes an AJP Connector to everyone through the Internet.
Chaitin researchers discovered and reported this flaw to the Apache Tomcat project last month for which they have released Apache Tomcat 9.0.31, 8.5.51, and 7.0.100 versions to patch the issue.
The latest releases also have fixes for 2 other low severity HTTP request smuggling (CVE-2020-1935 and CVE-2019-17569) issues.
The users and administrators are highly recommended to apply the software updates at the earliest. They are also recommended to not expose AJP port to untrusted clients because it is meant to be used only on a trusted network.
If the users are not able to upgrade the affected web server immediately, then they must disable the AJP Connector directly, or change its listening address to the localhost.