Apache Tomcat has been a popular Java servlet hosting application for over 20 years. It is used to host hundreds of thousands of websites and web applications. However, a high–risk vulnerability has recently been discovered that has remained unnoticed for 13 years.
Researchers at Chaitin Tech, a Chinese cybersecurity firm, discovered the vulnerability and dubbed it GhostCat. The vulnerability lies in a flaw with the Tomcat Apache JServ Protocol (AJP). This protocol is similar to HTTP but runs on port 8009 and is used to communicate with Apache HTTPD web servers or oth-er Tomcat instances. Until recently, the AJP connector was enabled by default on all Tomcat servers and bound to IP address 0.0.0.0.
This AJP flaw can be used to read and write files to a Tomcat server that the user shouldn’t be able to do. This could lead to an attacker stealing configuration files, passwords, or putting scripts on the server for backdoor access. If the web server allows file uploads, it could also be abused to allow remote code execution. There are already multiple proof–of–concept code examples on GitHub that have popped up since the vulnerability was made public, so it is likely that attacks are already happening in the wild.
The GhostCat vulnerability was found in versions all the way back to Tomcat version 6.x, which was released in February of 2007. All version since then, in-cluding 7.x, 8.x, and 9.x are also affected. Chaitin researchers found the bug in early January of this year and properly informed Apache to develop patches before releasing the vulnerability information to the public. Apache has re-leased patches for supported branches (7.0.100, 8.5.51, and 9.0.31) but Tomcat 6.x was end–of–life back in 2016 and has not been updated. Chaitin also updated their XRAY network scanning tool to help identify vulnerable Tomcat servers.
There is also a mitigation for GhostCat if updating the server is not possible for some reason. The AJP connector can be disabled in the server configuration if it is not needed at all, or the listening address and/or port can be modified as well. It is highly encouraged that all server owners upgrade to the latest version as soon as possible.
Sources
• https://thehackernews.com/2020/02/ghostcat–new–high–risk–vulnerability.html#comment–box
• https://lists.apache.org/thread.html/ r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40% 3Cannounce.tomcat.apache.org%3E
• https://www.zdnet.com/article/ghostcat–bug–impacts–all–apache–tomcat–versions–released–in–the–last–13–years/