Security researchers have discovered a serious vulnerability CVE-2020-1938 in Apache Tomcat. A bad actor could read or include any files in Tomcat webapp directories.
The researchers from Chaitlin Tech described the flaw in a blog post titled Ghostcat:
“Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.”
The researchers also said the vulnerability impacts all versions of Tomcat default configurations (versions 6/7/8/9). However, older versions than 6 were not verified.
Tomcat comes with two connectors that Tomcat uses as a channel to connect to the outside. The vulnerable AJP Connector uses the AJP protocol (Apache Jserv Protocol) and can be viewed as a more performance optimized version of the HTTP protocol.
To address Ghostcat, organizations should upgrade to the latest versions of Tomcat (9.0.31, 8.5.51 and 7.0.100).
Finally, NIST just updated the advisory for CVE-2020-1938 on February 27 and is rated Critical (CVSS score is 9.8).