What is GhostCat Vulnerability (CVE-2020-1938)?

Java is currently the most popular programming language in Web development, and Apache Tomcat? is one of the most popular Java middleware servers. It has been used for more than 20 years since its initial release.

GhostCat is a serious vulnerability in Tomcat discovered by researchers at Chinese cybersecurity company Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the web app directories of Tomcat.

Why is this vulnerability called GhostCat?

This vulnerability affects all versions of Tomcat in the default configuration, which means that it has been dormant in Tomcat for more than a decade.

What is Tomcat AJP Connector?

Tomcat Connector is the channel for Tomcat to connect to the outside. It enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat is configured with two Connectors, which are HTTP Connector and AJP Connector:

HTTP Connector: used to process HTTP protocol requests (HTTP/1.1), and the default listening address is 0.0.0.0:8080

AJP Connector: used to process AJP protocol requests (AJP/1.3), and the default listening address is 0.0.0.0:8009

HTTP Connector is used to provide HTTP Web services that we often use. The AJP Connector uses the AJP protocol (Apache Jserv Protocol). The AJP protocol can be understood as a performance-optimized version of the HTTP protocol in binary format. It can reduce the processing cost of HTTP requests, so it is mainly used in scenarios that require clustering or reverse proxy.

What can GhostCat do?

By exploiting the GhostCat vulnerability, an attacker can read the contents of configuration files and source code files of all web apps deployed on Tomcat.

In addition, if the website application allows users upload a file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files, etc.), and then include the uploaded file by exploiting the GhostCat vulnerability, which finally can result in remote code execution.

What versions of the Tomcat are affected?

Apache Tomcat 9.x < 9.0.31

Apache Tomcat 8.x < 8.5.51

Apache Tomcat 7.x < 7.0.100

Apache Tomcat 6.x

All versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the past 13 years have been found vulnerable to this new high-severity ‘file read and inclusion bug’.

Under what circumstances can Tomcat be exploited?

If the AJP Connector is enabled and the attacker can access the AJP Connector service port, there is a risk of being exploited by the GhostCat vulnerability.

It should be noted that Tomcat AJP Connector is enabled by default and listens at 0.0.0.0:8009.

Thank you to Yang Kun, Yusen Chen, Zhu Wenlei at cybersecurity firm Chaitin Tech, Bejing, China for information used in this article.

Alan O'Grady

Alan O’Grady is an Ireland-based Product Marketer working with software and technology companies. He has lived and worked in Europe, Asia, and the USA. Alan is customer-focused, with data network and mobile experience gained at managed service providers and telecoms operators such as Deutsche Telekom and Singtel.

#GhostCat #vulnerability #Java #ApacheTomcat #Tomcat #middleware #WebDevelopment