A file read/inclusion vulnerability in Apache Tomcat versions 6-9 allows unauthenticated read access to system files and can be escalated into a code execution vulnerability in some cases.
All unpatched versions are vulnerable unless the Apache JServ Protocol (AJP) has been deliberately disabled or access by untrusted users is disabled (firewall port 8009). If file uploads are enabled then remote code execution may be possible by attackers uploading JSP files.
A number of PoC exploits are available and RedShield is aware of active scans looking for this vulnerability.
Security researchers from Chaitin Tech have reported a file read/upload vulnerability in AJP. Announced on the 20th of February by China’s National Vulnerability Database (CNVD-2020-10487) followed by the NIST NVD on the 24th of February (CVE-2020-1938), this vulnerability was discovered in early January and disclosed to the Apache foundation for patching.
Following the early disclosure, Apache has released fixes for the following impacted systems:
- Apache Tomcat 7: Patch 7.0.100
- Apache Tomcat 8: Patch 8.5.51
- Apache Tomcat 9: Patch 9.0.31
No patch has been released for Apache Tomcat 6 which is likely still vulnerable.
- If this impacts your version of Apache Tomcat we suggest updating immediately.
- Add the ‘requiredSecret’ attribute to your AJP connector configuration. This acts as a password to require authentication before access to the AJP is allowed. This secret should be complex enough to resist brute forcing.
- Firewall lock down your webserver to reduce your attack surface. If the AJP is not required on your system, then best security practice would be to remove access to it completely. The default port for the AJP is port 8009.
Customers with a standard deployment of RedShield are protected by default due to the firewalling process during setup. For added peace of mind RedShield will protect against malicious JSP file uploads if you have shielding for your AJP connector port.
If you are concerned whether or not your web application is still vulnerable, don’t hesitate to get in contact at email@example.com
Original CNVDB announcement: https://www.cnvd.org.cn/webinfo/show/5415
NIST CVE announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-1938
“What is AJP protocol used for?”: https://stackoverflow.com/questions/21757694/what-is-ajp-protocol-used-for