Ghostcat (CVE-2020-1938) is an Apache Tomcat vulnerability that allows remote code execution in some circumstances. Here’s how to find and mitigate it.
Ghostcat is a vulnerability found in Apache Tomcat versions 6.x, 7.x, 8.x, and 9.x that allows remote code execution in some circumstances. Apache Tomcat includes the AJP connector, which is enabled by default and listens on all addresses on port 8009. This connection is treated with more trust than a connection such as HTTP, allowing an attacker to exploit it to perform actions that are not intended for an untrusted user.
Ghostcat allows an attacker to retrieve arbitrary files from anywhere in the web application, including the `WEB-INF` and `META-INF` directories and any other location that can be reached via
ServletContext.getResourceAsStream(). It also allows the attacker to process any file in the web application as JSP.
Remote code execution is not possible by default. If an application running on an affected version of Tomcat contains a file upload vulnerability, an attacker can exploit it in combination with Ghostcat to achieve remote code execution. However, the attacker must be able to save the uploaded files to the document root and to reach the AJP port directly from outside the target’s network.
The popularity of Apache Tomcat makes this vulnerability severe. More than 1 million actively reachable servers on the internet are running Apache Tomcat. This vulnerability is present in all versions of Apache Tomcat released in the last 13 years (versions 6.x/7.x/8.x/9.x).
Ghostcat also affects the default configuration of Tomcat, and many servers may be vulnerable to attacks directly from the internet. Apache Tomcat’s AJP connector is enabled by default on all Tomcat servers and listens on the server’s port 8009.
The availability of public exploits makes it easy for malicious actors to launch attacks:
The Black Duck Security Advisory for the Ghostcat vulnerability suggests the following workaround:
The AJP connector service can be disabled by commenting out or removing the appropriate line from the
$CATALINA_HOME/conf/server.xml file and restarting Tomcat.
If an upgrade is not possible, the
requiredSecret attribute can be configured to set AJP protocol authentication credentials like so:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>
The best way to know what’s in your code is with software composition analysis (SCA). SCA tools scan an application to create a software bill of materials, or an inventory of all the open source components in the application. Black Duck, our SCA solution, relies on several scanning techniques, including signature matching, package manager inspection, and snippet matching, across different types of applications, such as web apps, mobile apps, thin clients, thick clients, Docker containers, and binary files. For each component, Black Duck also provides security vulnerability information, as well as public exploits, workarounds, solutions, version upgrade advisories, and detailed vulnerability explanations.
New vulnerabilities are discovered every day in already released open source components. The Ghostcat vulnerability is a perfect example of how a new vulnerability in a popular component can have a widespread effect. Apache Tomcat is a very widely used open source component, with more than 10 million downloads, per the Apache Foundation blog. So how can your development and security teams stay up to date on all new vulnerabilities found in the open source components you already use?
Black Duck’s enhanced vulnerability reports include information from both the NVD security feed and Black Duck Security Advisories, our own proprietary security feed from the Cybersecurity Research Center (CyRC). The best part is that you don’t need to keep rescanning your applications to uncover new vulnerabilities. When we update the Black Duck KnowledgeBase™ (which we do every hour), any new vulnerability information related to the open source components in your applications is pushed to you in the form of new notifications. You can drill down to the exact open source component that contains a vulnerability and apply a fix.
The Black Duck Security Advisory for CVE-2020-1938 tags this vulnerability as BDSA-2020-0339, as shown in the image below, and includes the workaround, the CVSS 3.0 score, and the CVSS 2.0 score.
The Black Duck Security Advisory for CVE-2020-1938 / BDSA-2020-0339
In short, Black Duck software composition analysis keeps development teams and security teams up to date with any new vulnerabilities that affect the open source components in their applications.
Tanay Sethi is an experienced application security and open source compliance professional. He is a speaker and has actively participated in many international security conferences. He has helped many system integrators and enterprises to set up open source compliance and security practices across India, Asia Pacific, and China.