CVE-2020-1938

9.8
9.8 / 10
CRITICAL

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

Weakness: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Published: 2020-02-24

Vulnerable Products

Community Advisory

This section is open source, for any additional information that enhances or clarifies the official advisory above.

Improve Advisory

CVE-2020-1938 Exploits (27)

Show all exploits (+17):

CVE-2020-1938 Vulnerable Docker Environment

Vulhub is an open-source collection of Docker-ized vulnerable environments. No pre-existing knowledge of Docker is required, just execute two simple commands and you have a vulnerable environment.

Get Vulhub Docker

Aapache Tomcat AJP Arbitrary File Read / Include Vulnerability(CVE-2020-1938)

Java is currently the most popular programming language in Web development, and Tomcat is one of the most popular Java middleware servers. It has been used for more than 20 years since its initial release.

Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.

References:

  • https://www.chaitin.cn/en/ghostcat
  • https://www.cnvd.org.cn/webinfo/show/5415
  • https://mp.weixin.qq.com/s/D1hiKJpah3NhEBLwtTodsg
  • https://mp.weixin.qq.com/s/GzqLkwlIQi_i3AVIXn59FQ

Environment Setup

Start a local Apache Tomcat 9.0.30:

docker-compose up -d

After successfully running the commands above, you will see the example page of Tomcat through visiting the site http://your-ip:8080, there is also a AJP port 8009 is listening.

Proof Of Concept

Test it online at https://www.chaitin.cn/en/ghostcat:

Here are some tools to test this vulnerability:

  • https://github.com/chaitin/xray
  • https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi

Research Labs

Bug Bounty

U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE

submitted by pvm 9 months ago
publicly disclosed 8 months ago

Official CVE References

View references (51)