Security

Mitigation Instructions for CVE-2020-1938

Written by CyRisk Vulnerability Management Team | Jun 18, 2024 4:39:47 PM

SUBJECT: CVE-2020-1938 Apache Tomcat AJP File Read/Include Vulnerability (Ghostcat)

TECH STACK: Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x

DATE(S) ISSUED: 02/24/2020

CRITICALITY: HIGH

OVERVIEW:

CVE-2020-1938, also known as Ghostcat, is a vulnerability in the Apache JServ Protocol (AJP) connector in Apache Tomcat. It allows an unauthenticated remote attacker to read or include files in the web application's directories on the server. This vulnerability affects Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x.

The vulnerability occurs due to insufficient validation of incoming AJP requests. Exploitation of this vulnerability can lead to unauthorized access to sensitive files, including configuration files and source code, which can be leveraged to further compromise the server.

THREAT INTELLIGENCE:

Ghostcat has been actively exploited in the wild, making it a significant threat to vulnerable systems. The ease of exploitation and the critical nature of data that can be accessed make this vulnerability a high priority for mitigation.

NIST: NVD

Base Score: 9.8 CRITICAL

Vector: CVSS:3.1/AV

 
/AC
 
/PR
 
/UI
 
/S
 
/C
 
/I
 
/A
 

 

SOLUTION:

Steps to Mitigate:

  1. Upgrade Tomcat:

    • Upgrade to Apache Tomcat 9.0.31, 8.5.51, or 7.0.100 as these versions contain fixes for the Ghostcat vulnerability.
    • Download the latest version from the Apache Tomcat download page.
    • Follow the installation instructions provided on the Apache Tomcat website to ensure the new version is properly installed.
  2. Disable AJP Connector (if not needed):

    • Edit the server.xml configuration file.
    • Comment out or remove the AJP connector configuration:
      xml
       
      <!--
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
      -->
  3. Secure AJP Connector (if needed):

    • If the AJP connector is required, restrict access to trusted clients only by using the address attribute to bind the connector to a specific IP address or use a firewall to block unwanted traffic.
    • Set a secret required for AJP connections:
      xml
       
      <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secret="your_secret" />
    • Ensure the secret attribute is a strong, randomly generated password and update your web server configuration to use this secret.
  4. Review and Harden Configuration:

    • Regularly review the server.xml and web.xml files for any insecure configurations.
    • Ensure that the minimum necessary permissions are granted to the Tomcat server and its files.
  5. Monitor and Audit:

    • Implement logging and monitoring to detect and respond to potential exploitation attempts.
    • Use tools like intrusion detection systems (IDS) and web application firewalls (WAF) to add additional layers of security.

REFERENCES: