Active Scans for Apache Tomcat Ghostcat Vulnerability Detected, Patch Now

Image: Chaitin Tech / vargazs

Ongoing scans for Apache Tomcat servers unpatched against the Ghostcat vulnerability that allows potential attackers to take over servers have been detected over the weekend.

As cyber threat intelligence firm Bad Packets said on Saturday, "mass scanning activity targeting this vulnerability has already begun. PATCH NOW!"

Ghostcat is a high-risk file read/include vulnerability tracked as CVE-2020-1938 and present in the Apache JServ Protocol (AJP) of Apache Tomcat between versions 6.x and 9.x.

The Apache Tomcat developers have released versions 7.0.100, 8.5.51, and 9.0.31 to patch the vulnerability, however, users of version 6.x will have to upgrade to a newer version since this branch has already reached end-of-support and is no longer updated — the last update for 6.x was released on April 7, 2017.

All unpatched Apache Tomcat 6, 7, 8, and 9 installations ship with AJP Connector enabled by default and listening on all configured server IP addresses on port 8009.

Proof-of-concept exploits available

Tenable says that proof-of-concept exploits have already been shared by security researchers on GitHub (1, 2, 3, 4, 5).

If you can't immediately update or upgrade your server to a patched Tomcat version, Chaitin Tech's research team recommends disabling the AJP Connector altogether if not actively used or configure the requiredSecret attribute for the AJP Connector to set authentication credentials.

Chaitin Tech also provides a security assessment tool that will help you discover Tomcat servers vulnerable to attacks targeting Ghostcat on your network.

According to Shodan more than 890,000 Tomcat servers currently reachable over the Internet, while BinaryEdge found over 1 million.

The affected Apache Tomcat versions and the ones were the Ghostcat vulnerability has been patched are listed in the table below.

Critical flaw that can lead to server takeover

"Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection," the developers explain. "If such connections are available to an attacker, they can be exploited in ways that may be surprising."

As researchers at Chinese security outfit Chaitin Tech who discovered the bug detailed, after successfully exploiting an unpatched Tomcat server "an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat."

"In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution."

According to Snyk and Red Hat, Tomcat also ships with apps built using the Spring Boot Java framework, as well as other Java-based servers and frameworks including but not limited to JBoss Web Server (JWS) and JBoss Enterprise Application Platform (EAP) as ZDNet reported.