- Apache Tomcat has a serious vulnerability that has been present for more than a decade
- Called Ghostcat, the bug is a ‘file read and inclusion’ bug
- Can allow for remote code execution by unauthorized users, if not patched
- The flaw resides in the AJP protocol used by the AJP connector
- Users advised to disable the AJP connector or upgrade to the patched versions
Apache Tomcat is a software that is used to deploy Java Servlets and JSPs.
It offers a “pure Java” HTTP web server environment for Java code to run.
Needless to say, it’s highly popular among the cyber world.
But what happens when the same environment turns hostile for cybersecurity?
What happens when the software starts offering unauthenticated users access to its files, permission to upload and a fertile ground for execution?
This is what is happening with Apache Tomcat. In a recently discovered file read and inclusion bug called Ghostcat, rated 9.8 on its severity scale, an attacker can read the configuration files and execute them as JSP (Java Server Page) leading to serious remote code execution attacks.
The Ghostcat vulnerability in Tomcat
The vulnerability was discovered by Chaitin Tech, a Chinese cybersecurity company.
It is interesting or rather unfortunate to know that the flaw has been residing in Apache Tomcat for more than 10 years!
However, now that it’s come under the lens with several proof of concept exploits popping up online, Apache has fixed the vulnerability in its latest Tomcat release.
So, if you are using Apache Tomcat, you need to upgrade to the latest versions (Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later) before you read anything more about this damaging flaw.
The flaw resides in the Tomcat AJP protocol (Apache JServ Protocol) that allows Tomcat to communicate with an Apache web server.
Now, Tomcat is shipped with an AJP connector that is basically its connection to the external world. Using the connector, Tomcat can receive requests and respond to them.
Apache Tomcat previous versions came along with an enabled AJP connector that listened at 0.0.0.0:8009, and it was suggested that the connector be turned off if not in use.
But people hardly pay any heed to security suggestions.
The Ghostcat vulnerability can be understood in three parts:
- Returning arbitrary files from the web app: This allows the attacker to read the contents of config files and source code of web apps
- Uploading a file and storing it in the web app: Here, the attacker can upload a file that has malicious JSP code
- Processing a file as Java Server Page: Finally, the attacker can execute the malicious file using this permission and perform remote code exeuction.
How can the Ghostcat vulnerability be avoided?
Well, you can’t really avoid the vulnerability since it’s already present for about more than a decade like a ghost in the Apache Tomcat. (Hence, the name Ghostcat). The following versions are affected.
- Apache Tomcat 9.x < 9.0.31
- Apache Tomcat 8.x < 8.5.51
- Apache Tomcat 7.x < 7.0.100
- Apache Tomcat 6.x
All you can do is fix the vulnerability by upgrading your software to the latest patched versions.
But before that, you need to check if your AJP port is enabled and accessible to people who you don’t trust.
- You don’t need to worry if that you had disabled it. But it’s still recommended that you upgrade your Tomcat to new versions for future use. You can even change the connector’s listening address to the localhost.
- If, on the other hand, you actively use your connector, then make sure it’s upgraded and the AJP protocol has some authentication credentials set on it. For example:
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” secret=”YOUR_TOMCAT_AJP_SECRET” />
Share this news with others who could benefit from this and let us know what you think about this?
Do you have any more information on this? Or do you have a question? You can write to us in the comments section below.
And keep an eye out on our news section so as not to miss important cybersecurity updates.
Stay tuned, stay safe.