High Threat Security Alert (A20-02-06): Vulnerability in Apache Tomcat


 

Published on: 24 February 2020

  
  

Description:

Apache Software Foundation has released new versions of Apache Tomcat 7, 8.5 and 9 to address a vulnerability in the Apache JServ Protocol (AJP). An unauthenticated remote attacker may send specially crafted requests to read web application files or upload malicious JavaServer Pages (JSP) code to execute arbitrary commands.

Reports indicate that the exploit code against the vulnerability in the Apache JServ Protocol (AJP) has been released publicly. Users are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks. For systems hosted at outsourced platforms, system owners should confirm with the web hosting service providers that the relevant patches have been applied.

Please note that Apache announced that the support for Tomcat 6.x and 8.x were ceased on 31 December 2016 and 30 June 2018 respectively. No security updates will be provided after that. Users should arrange upgrading the Apache Tomcat to supported versions or migrating to other supported technology.

 

Affected Systems:

  • Apache Tomcat versions 6.x
  • Apache Tomcat versions 7.0.99 and below
  • Apache Tomcat versions 8.5.50 and below
  • Apache Tomcat versions 9.0.30 and below

 

Impact:

Successful exploitation of the vulnerability could lead to information disclosure and arbitrary code execution on an affected system.

 

Recommendation:

Apache Software Foundation has released new version of the products to address the issue and they can be downloaded at the following URLs:

  • https://tomcat.apache.org/download-70.cgi
  • https://tomcat.apache.org/download-80.cgi
  • https://tomcat.apache.org/download-90.cgi

In case Apache Tomcat 6.x is still in use, system administrators should follow the recommendations provided in the URL below to disable the AJP Connector or set appropriate authentication credentials to the Connector to avoid the vulnerability:

https://www.chaitin.cn/en/ghostcat

 

More Information:

https://tomcat.apache.org/tomcat-7.0-doc/changelog.html#Tomcat%207.0.100%20(violetagg)
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.51_(markt)
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.31_(markt)
https://tomcat.apache.org/tomcat-60-eol.html
https://tomcat.apache.org/tomcat-80-eol.html
https://www.cnvd.org.cn/webinfo/show/5415
https://www.chaitin.cn/en/ghostcat
https://zh-tw.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

 



Tag: Apache , Tomcat
Tags