Ghostcat Vulnerability (CVE-2020–1938)

OWASP 2013-A9 OWASP 2017-A9 CWE-434 WASC-13

What is Ghostcat vulnerability?

Ghostcat is a vulnerability that affects Apache Tomcat, specifically the AJP protocol.

It currently affects versions before 9.0.31, 8.5.51, and 7.0.100. It happens because of a misconfiguration in AJP protocol followed by the default installation of Tomcat. This issue can cause a potential remote code execution.

By default, the Apache Tomcat includes the AJP connector. It is enabled by default and listens on all addresses on port 8009.

Ghostcat allows an attacker to retrieve arbitrary files from anywhere in the web application, including the WEB-INF and META-INF directories and any other location that can be accessed via ServletContext.getResourceAsStream().

It also allows the attacker to process any file in the web application as JSP.

Impact

A large number of actively reachable servers on the internet are running Apache Tomcat.

This is an old bug which has been active within the past 13 years and incorporates the versions 6.x/7.x/8.x/9.x. In most cases, this vulnerability will allow an attacker to read any resources that exist on the Tomcat server.

This can include the configuration files or any sensitive data on the server.

The worst case of this attack occurs when an application allows a user to upload files. In this case, an attacker can upload a malicious JSP file, and access it with their browser, leading to remote code execution.

This kind of attack may result in an exceedingly full compromise of the affected server.

Mitigation Or Precaution

Updating Apache to a newer version will help you to mitigate this vulnerability or if you are not using the AJP protocol then it can be closed by commenting out the port in the server.xml file.

Latest Articles