Mitigation Instructions for Apache HTTP Server versions 2.1.x to 2.2.x
SUBJECT: Unsupported Version of Apache HTTP Server Detection
1 min read
CyRisk Vulnerability Management Team
:
Jun 18, 2024 12:39:47 PM
SUBJECT: CVE-2020-1938 Apache Tomcat AJP File Read/Include Vulnerability (Ghostcat)
TECH STACK: Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x
DATE(S) ISSUED: 02/24/2020
CRITICALITY: HIGH
OVERVIEW:
CVE-2020-1938, also known as Ghostcat, is a vulnerability in the Apache JServ Protocol (AJP) connector in Apache Tomcat. It allows an unauthenticated remote attacker to read or include files in the web application's directories on the server. This vulnerability affects Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x.
The vulnerability occurs due to insufficient validation of incoming AJP requests. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including configuration files and source code, which can be leveraged to further compromise the server.
THREAT INTELLIGENCE:
Ghostcat has been actively exploited in the wild, making it a significant threat to vulnerable systems. The ease of exploitation and the critical nature of data that can be accessed make this vulnerability a high priority for mitigation.
NIST: NVD
Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV
SOLUTION:
Steps to Mitigate:
Upgrade Tomcat:
Disable AJP Connector (if not needed):
server.xml
configuration file.<!--
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
-->
Secure AJP Connector (if needed):
address
attribute to bind the connector to a specific IP address or use a firewall to block unwanted traffic.<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secret="your_secret" />
secret
attribute is a strong, randomly generated password and update your web server configuration to use this secret.Review and Harden Configuration:
server.xml
and web.xml
files for any insecure configurations.Monitor and Audit:
REFERENCES:
SUBJECT: Unsupported Version of Apache HTTP Server Detection
SUBJECT: Microsoft-IIS/7.0 Unsupported Web Server Detection
SUBJECT: CVE-2024-4577 PHP-CGI Argument Injection Vulnerability