Ghostcat breach affects all Tomcat versions

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. Tomcat is one of the most popular Java HTTP web server environments and was released in 1998.

Ghostcat is a high severity vulnerability in Tomcat discovered by the security researchers of Chaitin Tech on January 3rd. On February 20, the China National Vulnerability Database (CNVD) published a security advisory for this issue with the number CNVD-2020-10487.

The vulnerability was found in the Apache JServ Protocol (AJP). The issue is that this binary protocol allows an attacker to read or include any file into Tomcat webapp directories.

AJP Connector

The AJP Connector takes care of communication between Tomcat and the outside world. By default, The AJP Connector is enabled in Apache Tomcat on port 8009 for version 6 to 9. As CVE-2020-1938 is a file read/inclusion vulnerability in the AJP Connector within Tomcat, all versions that do not contain the patch have this vulnerability. 

The vulnerability allows an attacker to read the contents of the web application files. If the web application allows file upload, the attacker is also able to upload any files to the server including malicious Java Server Pages (JSP) that enable remote code execution on the server.

Solution

Apache Tomcat already released patched versions for Tomcat 7, 8, and 9:

• Tomcat version 7 > 7.0.100

• Tomcat version 8 > 8.5.51

• Tomcat version 9 > 9.0.31

The Chaitin researchers are suggesting that if you use the patch, you also add a proper secret to you connector configuration in the /conf/server.xml file.

1<Connector port="8009" protocol="AJP/1.3" 
2redirectPort="8443" 
3address="YOUR_TOMCAT_IP_ADDRESS" 
4secret="YOUR_TOMCAT_AJP_SECRET" />

When patching is not an option, there are some other ways to mitigate this issue, according to the Chaitin researchers.

If you are not using the AJP Connector you can safely comment out or delete the declaration of the AJP Connector in the /conf/server.xml file.

1<!--<Connector port="8009" protocol="AJP/1.3" 
2redirectPort="8443" />-->

If you do use the AJP Connector and updating to the patched version is not an option, add a requiredSecret field with a safe, not easy to guess secret.

1<Connector port="8009" protocol="AJP/1.3" 
2redirectPort="8443" 
3address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />

Spring Boot

The latest version of the JVM Ecosystem report shows that Spring Boot is the most widely used server-side framework within the ecosystem. Spring Boot uses an embedded web server and, by default, the embedded version of Tomcat is used. It is possible that the spring-boot-starter-web introduced a vulnerable version of the embedded apache tomcat package into your system.

Edited Mar 2, 2020

It is good to know that by default, Spring Boot does not create an AJP connector out the box. This means that with the default settings an attacker cannot exploit this vulnerability. However, Spring Boot can be configured differently. Depending on your configuration you should check if you’re vulnerable and take appropriate measures.