GhostCat: A New Vulnerability Affecting Servers Running Apache Tomcat
By Yash Kudal
If your web server is running Apache Tomcat, you must immediately install the latest version to prevent hackers from using unauthorized control.
All versions (9.x / 8.x / 7.x / 6.x) of Apache Tomcat released in the last 13 years have been found to be at high risk (CVSS 9.8) used for automatic configuration.
But it is much talked about because several exploits in this vulnerability are also posted on the Internet, making it easy for anyone to access vulnerable web servers.
The bug allows unauthorized, remote attackers to read the contents of any file on a vulnerable web server and retrieve sensitive configuration files or source code, or use an argument code if the server allows file uploads.
How GhostCat Works?
According to Chinese cybersecurity company Chaitin Tech, this vulnerability rests on AJP’s Apache Tomcat software protocol that arises due to poor management of the system.
If a site allows users to upload a file, an attacker can first transmit a file containing malicious JSP text code to the server (the file itself may be any file type, such as images, plain text files, etc.), and then include the transmitted file with Ghostcat exploit, which could lead to the use of remote codes.
The Apache JServ Protocol (AJP) is basically a well-developed version of the HTTP protocol to allow Tomcat to communicate with the Apache web-server.
Although the AJP protocol comes automatically enabled and compliant with TCP port 8009, it is tied to the IP address 0.0.0.0 and can be exploited remotely only when it is available to unreliable customers.
Chaitin researchers discovered and reported this shortfall last month on the Apache Tomcat project, which has now released Apache Tomcat 9.0.31, 8.5.51, and 7.0.100 versions to include the issue.
The latest release also fixes the other 2 issues (CVE-2020-1935 and CVE-2019-17569).
Webmasters are highly recommended to use software updates immediately and are advised not to disclose the AJP port to unreliable customers because it addresses an unsecured channel and aims to be used on a trusted network.
Users should know that many changes have been made to the automatic configuration of AJP Connector in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31 or later will need to make minor changes to their configuration as a result, “said Tomcat Group.
However, if, for some reason,if you cannot upgrade the web server, you can directly block the AJP Connector, or change its listening address to a local host.