The chinese cyber security company chaitin tech discovered the vulnerability, which is named ghostcat and is tracked using cve20201938. Apache jserv protocol ajp is used for communication between tomcat and apache web server. A remote, unauthenticated attacker can exploit it to access configuration and source code files. Performs brute force passwords auditing against the apache jserv protocol. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted apache jserv protocol ajp request with a content length of zero to a targeted device. Updated alert regarding vulnerability cve20201938 in. The vulnerability is due to the handling of attribute in apache jserv protocol ajp.
Version 6 is no longer supported, but the fact that its impacted shows that the vulnerability has existed for more than a decade. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. The vulnerability could be exploited to file content disclosure of the web application or remote code execution. Most of the operating companies scanned by nmap will most likely be susceptible. Apache tomcat exploit poised to pounce, stealing files.
When using the apache jserv protocol ajp, care must be taken when trusting incoming connections to apache tomcat. Administrators who deploy and support affected products. On february 20, china national vulnerability database cnvd published a security advisory for cnvd202010487, a severe vulnerability in apache tomcats apache jserv protocol or ajp. The vulnerability is due to improper handling of certain usersupplied requests by the apache jserv protocol ajp module used by the affected web server. Ajp is a highly trusted protocol and should never be exposed to untrusted clients, which could use it to gain access to sensitive information or execute code on the application server. The apache tomcat connectors ajp protocol reference 1. Mar 09, 2020 this describes the apache jserv protocol version 1. Ghostcat in itself is a local file includeread vulnerability and not an arbitrary file uploadwrite vulnerability.
Apache tomcat file inclusion vulnerability cve20201938. Apache tomcat ajp requests denial of service vulnerability. A serious vulnerability affecting apache tomcat can be exploited to read files from a server and in some cases even to achieve remote code execution. Sun has released an alert notification to address the apache tomcat java apache jserv protocol connector invalid header denial of service. Red hat has released a security advisory and updated software to address the apache tomcat java apache jserv protocol connector invalid header denial of service vulnerability. The security issue has received a critical severity rating score of 9. In addition, a remote attacker may execute arbitrary code if the web application allows file upload and stores files. The apache jserv protocol ajp is a binary protocol that enables the proxy of incoming requests from a web server to a web server application server. Depending on the scenario, this may give access to customer data, personal information, database passwords, and other content. A vulnerability in apache tomcat was addressed by micro focus backup navigator. This vulnerability is due to a flaw in the tomcat apache jserv protocol ajp. Automatically discover, prioritize and remediate apache. App scanner enterprise updates for march 2020 trustwave.
Apache tomcat web servers are widely used for deploying javabased web applications. Of course we all know the metasploitable 2 digital machine is deliberately susceptible. In depth analysis of the top four flaws of the next generation web protocol. Ghostcat exploits the apache jserv protocol connector to read and write files to a apache tomcat server. Jun 05, 2016 a vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. Mar 12, 2020 an exploit titled ghostcat and tracked as cve20201938 cnvd202010487 has been identified when using the apache jserv protocol ajp when trusting incoming connections to apache tomcat. Active scans for apache tomcat ghostcat vulnerability. Anytime the web server is started, ajp protocol is started on port. Cve20201938 apache tomcat ajp file inclusion vulnerability. The ghostcat vulnerability is a serious security flaw, however, it is easily rectifiable. Apache jserv security vulnerabilities, exploits, metasploit modules, vulnerability statistics and list of versions e. Find business solutions from micro focus software support to meet.
A severe vulnerability exists in apache tomcats apache jserv protocol. Therefor one can solely suspect that the majority, if not all, of the companies. Apache tomcat java apache jserv protocol connector invalid. Apache tomcat is an open source web server and servlet container developed by the apache software foundation. First, the ghostcat vulnerability cve20201938 is in the media and customers want to know if their arcgis deployment is vulnerable. Metasploitable 2 vulnerability assessment hacking tutorials.
Apache jserv protocol ajp public wan internet accessible. Feb 28, 2020 apache tomcat is an open source web server and servlet container developed by the apache software foundation. On february 24, 2020 local time, apache software foundation has. The default configuration of the jserv status handler in jserv. The security hole is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a web server through to an application server. Ghostcat, an apache tomcat sever vulnerability cnvd202010487. Ajp is a binary protocol designed to handle requests sent to a web. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server.
Impersonation attacks in 4g networks demonstrates a proven insecurity on a layer above provably secure protocol, boeing implementing more rigorous testing of starliner after software problems shows how problems in cloud computing will be just the same in star systems, apis are. Hacking an apache webserver penetration testing youtube. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. The vulnerability is due to incorrect processing of headers in the tomcat java apache jserv protocol ajp connector. Ghostcat vulnerability in the tomcat apache jserv protocol. An unauthenticated remote attacker may send specially crafted requests to read web application files or upload malicious javaserver pages jsp code to execute arbitrary commands. Detect apache tomcat ajp file inclusion vulnerability cve.
The apache tomcat security release states the mitigation is only required if an ajp port is accessible to untrusted users. Apr 23, 2020 who should read this advisoryapply software fixes. New highrisk vulnerability affects servers running apache. There is, apparently, no current documentation of how the protocol works. A vulnerability in apache tomcat was addressed by operations bridge manager. The apache jserv protocol is commonly used by web servers to communicate with backend java application server containers. The cve20201938 vulnerability affected tomcats ajp protocol and identified by the chinese cybersecurity firm chaitin tech. If ajp is misconfigured it could allow an attacker. When starting iotdb, the jmx port 31999 is exposed with no certification.
Chaitin says the vulnerability is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a. When using the apache jserv protocol ajp, care must be taken when trusting incoming connections to apache. Often, ajp is used to load balance using stickysession policies. If the target server also provides the file upload function, the attacker can. Though ajp protocol comes enabled by default and listens at tcp port 8009, it is bound to ip address 0. Metasploitable 2 enumeration hacking tutorials breach the. Since, its not recommended to have ajp services publicly accessible on the internet. The vulnerability exploits a flaw in the apache jserv protocol ajp.
Bsrt2020001 local file inclusion vulnerability in apache. Chaitin says the vulnerability is related to the apache jserv protocol ajp protocol, which is designed to improve performance by proxying inbound requests from a web server through to an application server. Ajp is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. Updated alert regarding vulnerability cve20201938 in apache.
If you are forced to use ajp or the apache jserv protocol, you will be vulnerable. Ghostcat is a highrisk file readinclude vulnerability tracked as cve20201938 and present in the apache jserv protocol ajp of apache tomcat between versions 6. Ghostcat bug impacts all apache tomcat versions released. Flashpoint has tested the publicly available poc code against tomcat version 8.
Cve20201938 ajp request injection and potential remote code execution severity. These vulnerabilities exist in the ajp protocol which is, by default, exposed over tcp port 8009 and enabled. Ghostcat apache tomcat ajp file readinclusion vulnerability. Cve20201938 vulnerability in apache tomcat was addressed by solutions business manager. Apache jserv protocol ajp is a packetoriented binary protocol designed to proxy inbound requests from a public web server to a private application server.
Apache software foundation has released new versions of apache tomcat 7, 8. Dubbed ghostcat and tracked as cve20201938, the flaw was discovered by researchers at chinese cybersecurity firm chaitin tech, who reported their findings to the apache software foundation on. The vulnerability can be exploited by an attacker who can communicate with the affected ajp protocol service. Cve20201938 ajp request injection and potential remote code execution. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the metasploitable 2 virtual machine. Secondly, some customers choose to deploy apache tomcat separately with our products, such as in conjunction with the arcgis java web adaptor, or together with apache as a reverse proxy. Patches were made available last month with the release of versions 9. When using the apache jserv protocol ajp, care must be taken when trusting incoming. Apache tomcat improper input validation vulnerability. If such connections are available to an attacker, they can be exploited in ways that may be surprising. It also supports some monitoring in that the web server can ping the application server. The vulnerability exists in the apache jserv protocol ajp, which is by default exposed over tcp port 8009 and enabled. The apache tomcat opensource web server supports various javascriptbased technologies, including the apache jserv protocol ajp interface, which is where the vulnerability.
An attacker could exploit this vulnerability to read arbitrary files from a web application directory on the server. Ajp apache jserv protocol is basically a binary protocol that allows to reverse proxying requests from a fe web server to a be application server, effectively propagating all the needed information to make the reqres flow continuing successfully. When using the apache jserv protocol ajp, care must be taken. If ajp is misconfigured it could allow an attacker to access to internal resources. Ghostcat request injection vulnerability nhs digital. Cve20201745 is a vulnerability very similar to cve20201938 but occurs in apache undertow. Automatically discover, prioritize and remediate apache tomcat. The apache tomcat ajp file inclusion vulnerability cve20201938 is exploitable only if port 8009 is exposed and ajp is installed. Additionally, an attacker must be able to upload a maliciously crafted file to the server to achieve greater. The flaw treats certain connections as trustworthy when they are not. If such connections are available to an attacker, they can. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a. An attacker with the ability to interact with the ajp protocol could exploit these vulnerabilities using specially crafted packets andor files.
Apache jserv protocol service vulnerabilities acunetix. Mar 03, 2020 cve20201938 is a file readinclusion vulnerability in the ajp connector in apache tomcat. How can you prevent your apache tomcat web server from being affected. The simplest solution is to configure apache as a local proxy, which performs transparent conversion of. For more information on the vulnerability, please refer to the information provided by apache software foundation. The apache software foundation released tomcat versions 7. On the apache tomcat security advisory page, ghostcat is described as ajp request injection and potential remote code execution. Ghostcat 2, 3 is a file readinclusion vulnerability in the apache jserv protocol ajp connector in apache tomcat.
A remote attacker leveraging this vulnerability may steal information via ajp. Apache tomcat vulnerability exists in tomcats apache jserv protocol ajp due to an implementation defect. New highrisk vulnerability affects servers running. Apache tomcat is an open source software implementation for java servlet and javaserver pages jsp technologies. You can view versions of this product or security vulnerabilities related to apache jserv. The script checks if the target host is running a service supporting the apache jserv protocol ajp accessible from a public wan internet. The vulnerability exists in the apache jserv protocol ajp protocol, which is enabled by default and listens on all configured ip addresses. The vulnerability is due to insufficient validation of usersupplied input by an affected device. The ghostcat vulnerability has existed for more than a decade and it affects versions 6, 7, 8 and 9 of apache tomcat. This makes communication with the ajp port rather difficult using conventional tools. A severe vulnerability exists in apache tomcat s apache jserv protocol. Running by default on tcp port 8009, ajp is a binary protocol designed to handle requests sent to a web server destined for an application. Apache software is an integral part of nearly every enduser computing device, from laptops to tablets to phones. Apache tomcat affected by serious ghostcat vulnerability.
This document is an attempt to remedy that, in order to make life easier for maintainers of jk, and for anyone who wants to port the protocol somewhere into jakarta 4. The ajp protocol is enabled by default, listening on tcp port 8089 and bonded to ip address 0. Exploiting apache tomcat through port 8009 using the. Addressing the apache tomcat ghostcat vulnerability on. A criminal exploiting this flaw could have access to all web application files. Highrisk vulnerability apache tomcat ajp file inclusion. Apache projects are managing exabytes of data, executing teraflops of operations, and storing billions of objects in virtually every industry. Affected apache tomcat versions will get reported under the qualys was detection see details of the detection below. Due to a flaw in the apache tomcat jserv protocol, or ajp, a file inclusion vulnerability exists where an attacker has the ability to read and write privileges in the webapp directory of apache tomcat. Hackers scanning for apache tomcat servers vulnerable to.
An attacker must communicate with an apache jserv protocol ajp port on the server. Ghostcat flaw all versions of apache tomcat were affected. The apache jserv protocol ajp is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the. You may have heard about it or have been affected by the security flaw already. A remote, unauthenticated attacker could exploit this to access files which, under normal conditions, would be restricted. In this video i demonstrate how to remotely exploit and gain access into an apache webserver when doing a penetration test using known vulnerabilities.
The script detects a service supporting the apache jserv protocol ajp version 1. Apache tomcat fixed the ghostcat vulnerability cve20201938 where successful exploitation allows an attacker to read or include any file in all webapp directories on tomcat, such as webapp configuration files, source code, etc. Vulnerability statistics provide a quick overview for security vulnerabilities of this software. Its not recommended to have ajp services publicly accessible on the internet. Several proofofconcept exploit scripts for recently patched flaw in apache tomcat are now available.
1509 367 1482 138 161 1073 1147 381 243 1545 635 1517 1245 662 1631 760 482 276 952 87 539 449 1303 1097 1420 111 90 136 194 197 1030