External risk intelligence

Apache Tomcat AJP File Access and Code Execution Vulnerability

CVE advisoryKnown Exploit

CVE-2020-1938

The Apache Tomcat AJP Connector vulnerability allows attackers to access arbitrary files or process files as JSP, potentially leading to remote code execution. This impacts organizations using affected Apache Tomcat versions, posing a risk to system integrity and data confidentiality if AJP ports are exposed.

4Halo Surface Signal

Remote Code Execution

Apache Geode

1.12.07.0.0 to before 7.0.1008.5.0 to before 8.5.519.0.0 to before 9.0.313031326.2.1.09.3.39.3.59.3.68.1.18.2.08.2.110.0.1.4.01.0.1.27.3.34.2.04.2.117.1 to 17....

External exposure likelihood

Halo Surface Signal score for CVE-2020-1938

The AJP protocol is a core component used in common Apache Tomcat deployments to communicate between web servers and application servers. While intended for internal use, the vulnerability involves an AJP connector that was often exposed or reachable in many server configurations, making it a common target for network-based access in web application infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Apache Tomcat, when using the Apache JServ Protocol (AJP), has a vulnerability that allows unauthorized access to files and processing of web application content. This flaw can potentially enable remote code execution if file upload functionalities are also present and accessible. The impact is significant due to the potential for attackers to gain control over affected systems.

  • Vulnerable Apache Tomcat AJP Connector
  • Allows arbitrary file retrieval and JSP processing
  • Potential for remote code execution

Attack Path

How an attacker could exploit the issue

Attackers can exploit a default configuration in Apache Tomcat to gain unauthorized access to sensitive files and execute arbitrary code. The Apache JServ Protocol (AJP) connection, which is enabled by default and trusted more than standard HTTP connections, provides the entry point. By manipulating this connection, an attacker can read any file from the web application or have files processed as JavaServer Pages (JSP). If the application permits file uploads, this capability can lead to remote code execution, compromising the integrity and confidentiality of the affected organization's systems and data.

  • Exposed AJP port.
  • Attacker accesses files or executes code.
  • Arbitrary file access or JSP execution.

Live Threat

Current exploitation, exposure, and threat context

This critical vulnerability, also known as Ghostcat, allows attackers to access sensitive information and potentially execute arbitrary code on affected Apache Tomcat servers. The exploitation leverages the AJP protocol, which is treated with higher trust than HTTP by Tomcat. Attackers can read arbitrary files from web applications and, under specific conditions, process these files as JSP, enabling remote code execution. The impact can be severe, potentially leading to unauthorized access, data breaches, and system compromise. Given the widespread use of Apache Tomcat and the availability of exploits, this vulnerability warrants immediate attention and remediation.

  • Likely attacker skill level: Any skill level.
  • Required access or conditions: AJP port accessible to untrusted users.
  • Business risk or urgency: Critical.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Apache Tomcat could allow an attacker to access arbitrary files or process them as code, potentially leading to remote code execution. The risk is present if the AJP port is accessible to untrusted users. Organizations should address this by identifying systems using affected Tomcat versions, mitigating exposure, applying vendor updates, and verifying the fix.

  • Find servers using Apache Tomcat.
  • Disable AJP if not needed.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What is CVE-2020-1938 and which Apache products are affected?

CVE-2020-1938 is a critical vulnerability affecting Apache Tomcat versions 7.0.0 through 7.0.99, 8.5.0 through 8.5.50, and 9.0.0.M1 through 9.0.0.30. It arises from the way Tomcat handles the Apache JServ Protocol (AJP), treating it with a higher level of trust than HTTP connections. This trust can be exploited if AJP connections are accessible to attackers. The vulnerability also impacts other products such as Apache Geode, Fedora, and various Oracle products that may use or integrate with affected Tomcat...

How does the Apache Tomcat vulnerability (CVE-2020-1938) enable attackers to compromise systems?

The vulnerability, CVE-2020-1938, allows attackers to exploit the trust granted to AJP connections. This can lead to two primary malicious actions: returning arbitrary files from the web application and processing any file within the web application as a JSP file. If a web application allows file uploads and stores them within the application's structure, or if an attacker can otherwise control file content, this vulnerability can be chained to achieve remote code execution by processing a crafted file as a JSP.

What is the trigger path for CVE-2020-1938 and what is the scope of impact?

The trigger path for CVE-2020-1938 involves an attacker gaining access to an AJP port, which was often enabled by default and listened on all IP addresses in vulnerable Tomcat versions. By sending specially crafted AJP requests, an attacker can manipulate the server to reveal sensitive files or execute arbitrary code. The scope is a Universal (U) system, meaning the vulnerability affects the system itself, allowing for complete compromise if code execution is achieved. However, mitigation is only necessary if...

Why is CVE-2020-1938 considered a significant threat, and how does Halo Surface Signal assess its risk?

CVE-2020-1938 is a significant threat because it can lead to remote code execution and the disclosure of arbitrary files within a web application. Halo Surface Signal rates this vulnerability as 'Likely' due to the AJP protocol being a core component in common Apache Tomcat deployments, often exposed or reachable in many server configurations, making it a frequent target for network-based attacks on web application infrastructure. The critical CVSS score of 9.8 further underscores its severity.

What are the recommended steps to remediate CVE-2020-1938 and protect Apache Tomcat environments?

To remediate CVE-2020-1938, users should upgrade Apache Tomcat to versions 9.0.31, 8.5.51, 7.0.100, or later. These newer versions include changes to the default AJP Connector configuration to improve security. Additionally, it is recommended to disable the AJP Connector if it is not actively required, as it was often enabled by default in vulnerable versions. Users upgrading to fixed versions may need to adjust their configurations slightly due to these security hardening changes.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified