Overview
Apache Tomcat contains a critical vulnerability in its AJP (Apache JServ Protocol) connector that allows remote code execution when the connector is enabled and accessible to untrusted users. The vulnerability affects multiple versions across Tomcat 7.x, 8.5.x, and 9.0.x branches. By default, the AJP connector listens on all network interfaces on port 8009, making it accessible to remote attackers who can craft malicious requests to bypass authentication and execute arbitrary code on the server. The vulnerability was disclosed on February 24, 2020. CISA has identified CVE-2020-1938 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Apache Tomcat's AJP connector implementation is vulnerable to a Ghostcat vulnerability (named for its stealthy nature). The AJP protocol allows web servers (like Apache httpd or Nginx) to forward requests to Tomcat application servers. However, the implementation fails to properly validate AJP requests, allowing attackers to send malicious AJP packets that can manipulate Tomcat's request processing. Specifically, attackers can exploit the protocol to request arbitrary files from the filesystem or inject malicious JSP code that gets processed by Tomcat, leading to remote code execution.
The vulnerability is classified as CWE-917 (Expression Language Injection) , CWE-434 (Unrestricted Upload of File with Dangerous Type) andCWE-426 (Untrusted Search Path) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating its critical nature.
Impact
An attacker with network access to the AJP port can: 1. Read arbitrary files from the Tomcat server (e.g., configuration files, source code, credentials) 2. Upload and execute arbitrary JSP files, achieving remote code execution 3. Completely compromise the Tomcat server and any applications running on it 4. Escalate privileges if the Tomcat process runs as root (not recommended but possible) 5. Access sensitive data stored in application databases 6. Modify or delete application files and data This is particularly critical in containerized environments where Tomcat runs as the main process, or in Kubernetes clusters where internal network communication may not be properly segmented. Many organizations expose the AJP port unintentionally through load balancers or when multiple services run in the same network.
Mitigation and workarounds
1. Download the patched Tomcat version from https://tomcat.apache.org/download-80.cgi (or appropriate version) 2. Backup your current Tomcat installation and configuration 3. Extract the patched version 4. Copy your configuration files from the old installation to the new one 5. Restart Tomcat 6. Verify AJP connector is properly configured with appropriate security settings Alternatively, apply the specific patch files if available for your version. The following versions include the necessary fixes: Tomcat 7.0.100 and later (7.x branch), Tomcat 8.5.51 and later (8.5.x branch), Tomcat 9.0.31 and later (9.0.x branch).
As temporary workarounds: disable the ajp connector if not in use. edit catalina_home/conf/server.xml and comment out or remove the ajp connector line: ```xml <!-- <connector protocol="ajp/1.3" port="8009" redirectport="8443" /> --> ```; restrict ajp connector to localhost only. modify the connector line in server.xml: ```xml <connector protocol="ajp/1.3" port="8009" address="127.0.0.1" redirectport="8443" /> ```; use firewall rules to restrict access to the ajp port (default 8009) to only trusted ips (your reverse proxy servers). for example, with iptables: ```bash iptables -a input -p tcp --dport 8009 -s 192.168.1.10 -j accept iptables -a input -p tcp --dport 8009 -j drop ```, and use vpn or network segmentation to isolate tomcat from untrusted networks. ensure the ajp port is only accessible from your internal network..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
