Aperçu
Apache Tomcat contains a critical vulnerability in its AJP (Apache JServ Protocol) connector that allows remote code execution when the connector is enabled and accessible to untrusted users. The vulnerability affects multiple versions across Tomcat 7.x, 8.5.x, and 9.0.x branches. By default, the AJP connector listens on all network interfaces on port 8009, making it accessible to remote attackers who can craft malicious requests to bypass authentication and execute arbitrary code on the server. La vulnérabilité a été divulguée le February 24, 2020. CISA a identifié CVE-2020-1938 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Apache Tomcat's AJP connector implementation is vulnerable to a Ghostcat vulnerability (named for its stealthy nature). The AJP protocol allows web servers (like Apache httpd or Nginx) to forward requests to Tomcat application servers. However, the implementation fails to properly validate AJP requests, allowing attackers to send malicious AJP packets that can manipulate Tomcat's request processing. Specifically, attackers can exploit the protocol to request arbitrary files from the filesystem or inject malicious JSP code that gets processed by Tomcat, leading to remote code execution.
La vulnérabilité est classifiée comme CWE-917 (Expression Language Injection) , CWE-434 (Unrestricted Upload of File with Dangerous Type) etCWE-426 (Untrusted Search Path) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature critical.
Impact
An attacker with network access to the AJP port can: 1. Read arbitrary files from the Tomcat server (e.g., configuration files, source code, credentials) 2. Upload and execute arbitrary JSP files, achieving remote code execution 3. Completely compromise the Tomcat server and any applications running on it 4. Escalate privileges if the Tomcat process runs as root (not recommended but possible) 5. Access sensitive data stored in application databases 6. Modify or delete application files and data This is particularly critical in containerized environments where Tomcat runs as the main process, or in Kubernetes clusters where internal network communication may not be properly segmented. Many organizations expose the AJP port unintentionally through load balancers or when multiple services run in the same network.
Mitigation et contournements
1. Download the patched Tomcat version from https://tomcat.apache.org/download-80.cgi (or appropriate version) 2. Backup your current Tomcat installation and configuration 3. Extract the patched version 4. Copy your configuration files from the old installation to the new one 5. Restart Tomcat 6. Verify AJP connector is properly configured with appropriate security settings Alternatively, apply the specific patch files if available for your version. Les versions suivantes incluent les correctifs nécessaires : Tomcat 7.0.100 and later (7.x branch), Tomcat 8.5.51 and later (8.5.x branch), Tomcat 9.0.31 and later (9.0.x branch).
Comme contournements temporaires : disable the ajp connector if not in use. edit catalina_home/conf/server.xml and comment out or remove the ajp connector line: ```xml <!-- <connector protocol="ajp/1.3" port="8009" redirectport="8443" /> --> ```; restrict ajp connector to localhost only. modify the connector line in server.xml: ```xml <connector protocol="ajp/1.3" port="8009" address="127.0.0.1" redirectport="8443" /> ```; use firewall rules to restrict access to the ajp port (default 8009) to only trusted ips (your reverse proxy servers). for example, with iptables: ```bash iptables -a input -p tcp --dport 8009 -s 192.168.1.10 -j accept iptables -a input -p tcp --dport 8009 -j drop ```, et use vpn or network segmentation to isolate tomcat from untrusted networks. ensure the ajp port is only accessible from your internal network..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
