CVE-2020-1938 Apache TomCat AJP File Inclusion Vulnerability

Description

FortiGuard Labs is aware of a new attack on Apache Tomcat Servers dubbed "GhostCat." Discovered by Chaitin Tech, a vulnerability in Apache Tomcat exists where an attacker has the ability to read and write in the webapp directory of Apache Tomcat. It addition to this, an attacker has the ability to upload files to the host to ultimately perform remote code execution. Assigned CVE-2020-1938, this vulnerability affects every version of Tomcat released over the past 13 years.


What are the specifics of the vulnerability?

Due to a flaw in the Apache Tomcat JServ Protocol, or AJP, a file inclusion vulnerability exists where an attacker has the ability to read and write privileges in the webapp directory of Apache Tomcat. Also, if a web application has file upload function capability; an attacker may be able to perform remote code execution by exploiting file inclusion within the vulnerability itself. Essentially, an attacker can also upload malicious JSP (JavaServer Pages) to exploit this vulnerability and gain remote code execution.


What versions of software are affected?

This affects Apache Tomcat software only. The following software versions are affected

Apache Tomcat 9.0.0.M1 to 9.0.30

Apache Tomcat 8.5.0 to 8.5.50

Apache Tomcat 7.0.0 to 7.0.99


What is the severity of this issue?

HIGH. The CVSS base score is 9.8 CRITICAL.


Has the vendor issued a patch?

Yes. The Apache Software Foundation has issued patches for versions 7/8/9 of Apache Tomcat. However, versions 6 and lower are no longer supported and have reached end of life status. Please refer to the APPENDIX section for links to patches.


What is that status of AV or IPS coverage?

Fortinet customers running the latest IPS definitions are protected against GhostCat with the following signature:

Apache.Tomcat.AJP.Local.File.Inclusion

AV coverage is not feasible for this event.


What mitigation is available if any?

It is recommended to upgrade versions that have reached end of life to one of the versions that are supported. If this is not possible, if AJP support is not necessary, disabling the connector by commenting out the server.xml /conf/server.xml file in the following line:

[Connector port = "8009" protocol = "AJP / 1.3" redirectPort = "8443" ]

If AJP connector is a requirement and cannot be commented/deactivated, then, it is recommended to configure network firewall rules to prevent unauthorized access and to make sure that the connector listens on a non-public interface.


MITRE ATT&CK

Exploit Public-Facing Application

ID: T1190

Tactic: Initial Access


Exploitation for Client Execution

ID: T1203

Tactic: Execution

Telemetry