What is CVE-2020-1938 Ghostcat Vulnerability ?
Ghostcat is a security vulnerability found in Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x that allows remote code execution in certain scenarios. Apache Tomcat includes the AJP connector, which is enabled by default and listens on all addresses on port 8009. This connection is treated with more trust than a connection like HTTP, potentially allowing an attacker to perform actions not intended for an untrusted user.
Ghostcat enables an attacker to retrieve arbitrary files from anywhere within the web application, including directories such as WEB-INF and META-INF, accessible via ServletContext.getResourceAsStream(). It also allows the attacker to process any file in the web application as a JSP.
Remote code execution is not possible by default. If an application running on an affected version of Tomcat contains a file upload vulnerability, an attacker can exploit it in combination with Ghostcat to achieve remote code execution. However, the attacker must have the ability to save uploaded files to the document root and directly reach the AJP port from outside the target's network.
What makes Ghostcat a severe security vulnerability?
More than 1 million publicly accessible servers on the internet are running Apache Tomcat. This vulnerability is present in all versions of Apache Tomcat released in the last 13 years (versions 6.x/7.x/8.x/9.x).
Ghostcat also affects the default configuration of Tomcat, and many servers may be vulnerable to attacks directly from the internet. Apache Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on port 8009.
The presence of publicly available exploits makes it easier for malicious actors to launch attacks:
GitHub - laolisafe/CVE-2020-1938: CVE-2020-1938漏洞复现
CVE-2020-1938漏洞复现. Contribute to laolisafe/CVE-2020-1938 development by creating an account on GitHub.
github.com
GitHub - xindongzhuaizhuai/CVE-2020-1938
Contribute to xindongzhuaizhuai/CVE-2020-1938 development by creating an account on GitHub.
github.com
GitHub - YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi: Tomcat-Ajp协议文件读取漏洞
Tomcat-Ajp协议文件读取漏洞. Contribute to YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi development by creating an account on GitHub.
github.com
GitHub - nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC: CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc
CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc - GitHub - nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC: CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc
github.com
Is there a solution for Ghostcat?
The Black Duck Security Advisory for the Ghostcat vulnerability suggests the following temporary workaround:
The AJP connector service can be disabled by commenting out or removing the relevant line from the $CATALINA_HOME/conf/server.xml file and then restarting Tomcat.
If an upgrade is not possible, the requiredSecret attribute can be configured to set AJP protocol authentication credentials like this:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>
Source : https://www.turkhackteam.org/konular/cve-2020-1938-ghostcat-guvenlik-acigi-nedir.2047931/