All Apache Tomcat versions have a vulnerability called Ghostcat, which attackers could use to read configuration files or install backdoors on compromised servers. The CVE-2020-1938 vulnerability affected Tomcat’s AJP protocol and identified by the Chinese cybersecurity firm Chaitin Tech. The Apache JServ Protocol (AJP) is a binary protocol that enables the proxy of incoming requests from a web server to a web server application server. “Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat.” states the website set up to describe the issue. “For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.” Tomcat Connector enables Tomcat to connect outside, allows Catalina to accept requests from outside, forward them to the appropriate web application for processing and return the product of the request-response. Tomcat used by design two interfaces, the HTTP and the AJP, and the latter listens to port 8009 of the browser. The weakness of Ghostcat in AJP, which can either be used for reading or writing data to a Tomcat server, may cause the bug to access configuration files and capture passwords or API tokes. It can also require attackers to write data, malware or web shells, to a server. Versions of Tomcat impacted by the weakness of Ghostcat are:
Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x
Chaitin experts discovered the vulnerability in early January and then helped maintainers of the Apache Tomcat project address the issue. Security updates for Tomcat 7.x, Tomcat 8.x and Tomcat 9.x are already available, Chaitin also has an update on its XRAY scanner that detects vulnerable Tomcat servers. Immediately after public disclosure of the Ghostcat problem, GitHub shared proof of concept scripts [1, 2, 3, 4, 5] with several experts.