Ghostcat, an apache tomcat sever vulnerability cnvd202010487. Anytime the web server is started, ajp protocol is started on port. Automatically discover, prioritize and remediate apache. Cve20201938 vulnerability in apache tomcat was addressed by solutions business manager. Patches were made available last month with the release of versions 9. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. If ajp is misconfigured it could allow an attacker to access to internal resources.
The apache jserv protocol is commonly used by web servers to communicate with backend java application server containers. Detect apache tomcat ajp file inclusion vulnerability cve. When using the apache jserv protocol ajp, care must be taken when trusting incoming. The vulnerability exploits a flaw in the apache jserv protocol ajp. Feb 28, 2020 apache tomcat is an open source web server and servlet container developed by the apache software foundation. If the target server also provides the file upload function, the attacker can.
Ajp apache jserv protocol is basically a binary protocol that allows to reverse proxying requests from a fe web server to a be application server, effectively propagating all the needed information to make the reqres flow continuing successfully. Ajp is a binary protocol designed to handle requests sent to a web. The security issue has received a critical severity rating score of 9. Of course we all know the metasploitable 2 digital machine is deliberately susceptible. Apr 23, 2020 who should read this advisoryapply software fixes. The cve20201938 vulnerability affected tomcats ajp protocol and identified by the chinese cybersecurity firm chaitin tech. Find business solutions from micro focus software support to meet.
Secondly, some customers choose to deploy apache tomcat separately with our products, such as in conjunction with the arcgis java web adaptor, or together with apache as a reverse proxy. The apache jserv protocol ajp is a binary protocol that enables the proxy of incoming requests from a web server to a web server application server. Mar 12, 2020 an exploit titled ghostcat and tracked as cve20201938 cnvd202010487 has been identified when using the apache jserv protocol ajp when trusting incoming connections to apache tomcat. Therefor one can solely suspect that the majority, if not all, of the companies. Automatically discover, prioritize and remediate apache tomcat. Since, its not recommended to have ajp services publicly accessible on the internet. The simplest solution is to configure apache as a local proxy, which performs transparent conversion of. When using the apache jserv protocol ajp, care must be taken. A remote attacker leveraging this vulnerability may steal information via ajp.
Cve20201745 is a vulnerability very similar to cve20201938 but occurs in apache undertow. Ghostcat in itself is a local file includeread vulnerability and not an arbitrary file uploadwrite vulnerability. Metasploitable 2 vulnerability assessment hacking tutorials. Hacking an apache webserver penetration testing youtube. When using the apache jserv protocol ajp, care must be taken when trusting incoming connections to apache. Active scans for apache tomcat ghostcat vulnerability. Ghostcat is a highrisk file readinclude vulnerability tracked as cve20201938 and present in the apache jserv protocol ajp of apache tomcat between versions 6. How can you prevent your apache tomcat web server from being affected. An attacker could exploit this vulnerability to read arbitrary files from a web application directory on the server. If such connections are available to an attacker, they can. Sun has released an alert notification to address the apache tomcat java apache jserv protocol connector invalid header denial of service. The ghostcat vulnerability has existed for more than a decade and it affects versions 6, 7, 8 and 9 of apache tomcat. Apache tomcat affected by serious ghostcat vulnerability.
The apache software foundation released tomcat versions 7. The default configuration of the jserv status handler in jserv. On the apache tomcat security advisory page, ghostcat is described as ajp request injection and potential remote code execution. The apache tomcat connectors ajp protocol reference 1. These vulnerabilities exist in the ajp protocol which is, by default, exposed over tcp port 8009 and enabled. Apache jserv protocol ajp is used for communication between tomcat and apache web server. Dubbed ghostcat and tracked as cve20201938, the flaw was discovered by researchers at chinese cybersecurity firm chaitin tech, who reported their findings to the apache software foundation on. Its not recommended to have ajp services publicly accessible on the internet. Apache tomcat fixed the ghostcat vulnerability cve20201938 where successful exploitation allows an attacker to read or include any file in all webapp directories on tomcat, such as webapp configuration files, source code, etc.
Several proofofconcept exploit scripts for recently patched flaw in apache tomcat are now available. In addition, a remote attacker may execute arbitrary code if the web application allows file upload and stores files. Ghostcat 2, 3 is a file readinclusion vulnerability in the apache jserv protocol ajp connector in apache tomcat. The apache tomcat ajp file inclusion vulnerability cve20201938 is exploitable only if port 8009 is exposed and ajp is installed. The vulnerability exists in the apache jserv protocol ajp protocol, which is enabled by default and listens on all configured ip addresses. Ghostcat exploits the apache jserv protocol connector to read and write files to a apache tomcat server.
Apache projects are managing exabytes of data, executing teraflops of operations, and storing billions of objects in virtually every industry. Mar 09, 2020 this describes the apache jserv protocol version 1. Mar 03, 2020 cve20201938 is a file readinclusion vulnerability in the ajp connector in apache tomcat. Chaitin says the vulnerability is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a web server through to an application server. The vulnerability exists in the apache jserv protocol ajp, which is by default exposed over tcp port 8009 and enabled. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. The vulnerability is due to insufficient validation of usersupplied input by an affected device. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Bsrt2020001 local file inclusion vulnerability in apache. Apache jserv security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions e. Updated alert regarding vulnerability cve20201938 in apache. Cve20201938 apache tomcat ajp file inclusion vulnerability.
The vulnerability can be exploited by an attacker who can communicate with the affected ajp protocol service. Administrators who deploy and support affected products. Affected apache tomcat versions will get reported under the qualys was detection see details of the detection below. Metasploitable 2 enumeration hacking tutorials breach the. Apache tomcat vulnerability exists in tomcats apache jserv protocol ajp due to an implementation defect. If ajp is misconfigured it could allow an attacker. The script checks if the target host is running a service supporting the apache jserv protocol ajp accessible from a public wan internet. Exploiting apache tomcat through port 8009 using the. Impersonation attacks in 4g networks demonstrates a proven insecurity on a layer above provably secure protocol, boeing implementing more rigorous testing of starliner after software problems shows how problems in cloud computing will be just the same in star systems, apis are. A vulnerability in apache tomcat was addressed by operations bridge manager. There is, apparently, no current documentation of how the protocol works. Depending on the scenario, this may give access to customer data, personal information, database passwords, and other content. A remote, unauthenticated attacker can exploit it to access configuration and source code files. Version 6 is no longer supported, but the fact that its impacted shows that the vulnerability has existed for more than a decade.
The vulnerability could be exploited to file content disclosure of the web application or remote code execution. The vulnerability is due to the handling of attribute in apache jserv protocol ajp. Highrisk vulnerability apache tomcat ajp file inclusion. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a. Running by default on tcp port 8009, ajp is a binary protocol designed to handle requests sent to a web server destined for an application. Apache tomcat ajp requests denial of service vulnerability. This document is an attempt to remedy that, in order to make life easier for maintainers of jk, and for anyone who wants to port the protocol somewhere into jakarta 4. You can view versions of this product or security vulnerabilities related to apache jserv. A severe vulnerability exists in apache tomcats apache jserv protocol. The security hole is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a web server through to an application server. App scanner enterprise updates for march 2020 trustwave.
New highrisk vulnerability affects servers running apache. Apache tomcat is an open source web server and servlet container developed by the apache software foundation. An attacker must communicate with an apache jserv protocol ajp port on the server. A remote, unauthenticated attacker could exploit this to access files which, under normal conditions, would be restricted. In this video i demonstrate how to remotely exploit and gain access into an apache webserver when doing a penetration test using known vulnerabilities. Apache tomcat is an open source software implementation for java servlet and javaserver pages jsp technologies. On february 24, 2020 local time, apache software foundation has. Ghostcat request injection vulnerability nhs digital. When using the apache jserv protocol ajp, care must be taken when trusting incoming connections to apache tomcat. Ajp is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server. Flashpoint has tested the publicly available poc code against tomcat version 8. When starting iotdb, the jmx port 31999 is exposed with no certification. Often, ajp is used to load balance using stickysession policies. Apache tomcat web servers are widely used for deploying javabased web applications.
Ghostcat bug impacts all apache tomcat versions released. Updated alert regarding vulnerability cve20201938 in. A serious vulnerability affecting apache tomcat can be exploited to read files from a server and in some cases even to achieve remote code execution. The flaw was reported by chinese cybersecurity firm chaitin tech to the apache software foundation on january 3. On february 20, china national vulnerability database cnvd published a security advisory for cnvd202010487, a severe vulnerability in apache tomcats apache jserv protocol or ajp.
You may have heard about it or have been affected by the security flaw already. Most of the operating companies scanned by nmap will most likely be susceptible. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. Addressing the apache tomcat ghostcat vulnerability on. Apache tomcat java apache jserv protocol connector invalid.
The ghostcat vulnerability is a serious security flaw, however, it is easily rectifiable. Performs brute force passwords auditing against the apache jserv protocol. Ajp is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. In depth analysis of the top four flaws of the next generation web protocol.
The flaw treats certain connections as trustworthy when they are not. The vulnerability is due to improper handling of certain usersupplied requests by the apache jserv protocol ajp module used by the affected web server. New highrisk vulnerability affects servers running. Ghostcat apache tomcat ajp file readinclusion vulnerability. Hackers scanning for apache tomcat servers vulnerable to. The vulnerability is due to incorrect processing of headers in the tomcat java apache jserv protocol ajp connector. Vulnerability statistics provide a quick overview for security vulnerabilities of this software. Jun 05, 2016 a vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. The chinese cyber security company chaitin tech discovered the vulnerability, which is named ghostcat and is tracked using cve20201938. Ghostcat flaw all versions of apache tomcat were affected. An attacker with the ability to interact with the ajp protocol could exploit these vulnerabilities using specially crafted packets andor files. Additionally, an attacker must be able to upload a maliciously crafted file to the server to achieve greater.
It also supports some monitoring in that the web server can ping the application server. Apache software is an integral part of nearly every enduser computing device, from laptops to tablets to phones. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the. A vulnerability in apache tomcat was addressed by micro focus backup navigator. This makes communication with the ajp port rather difficult using conventional tools. An unauthenticated remote attacker may send specially crafted requests to read web application files or upload malicious javaserver pages jsp code to execute arbitrary commands. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the metasploitable 2 virtual machine. First, the ghostcat vulnerability cve20201938 is in the media and customers want to know if their arcgis deployment is vulnerable. Apache tomcat file inclusion vulnerability cve20201938. Apache jserv protocol service vulnerabilities acunetix. A criminal exploiting this flaw could have access to all web application files.
Though ajp protocol comes enabled by default and listens at tcp port 8009, it is bound to ip address 0. The script detects a service supporting the apache jserv protocol ajp version 1. Apache jserv protocol ajp is a packetoriented binary protocol designed to proxy inbound requests from a public web server to a private application server. A severe vulnerability exists in apache tomcat s apache jserv protocol. For more information on the vulnerability, please refer to the information provided by apache software foundation. Cve20201938 ajp request injection and potential remote code execution. Ghostcat vulnerability in the tomcat apache jserv protocol. Apache software foundation has released new versions of apache tomcat 7, 8.
Apache tomcat exploit poised to pounce, stealing files. The apache tomcat opensource web server supports various javascriptbased technologies, including the apache jserv protocol ajp interface, which is where the vulnerability. Red hat has released a security advisory and updated software to address the apache tomcat java apache jserv protocol connector invalid header denial of service vulnerability. This vulnerability is due to a flaw in the tomcat apache jserv protocol ajp. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted apache jserv protocol ajp request with a content length of zero to a targeted device. Apache tomcat improper input validation vulnerability. The ajp protocol is enabled by default, listening on tcp port 8089 and bonded to ip address 0. Chaitin says the vulnerability is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a. Apache jserv protocol ajp public wan internet accessible. If you are forced to use ajp or the apache jserv protocol, you will be vulnerable. Due to a flaw in the apache tomcat jserv protocol, or ajp, a file inclusion vulnerability exists where an attacker has the ability to read and write privileges in the webapp directory of apache tomcat. Exploiting apache tomcat through port 8009 using the apache. Cve20201938 ajp request injection and potential remote code execution severity.