All versions of Apache Tomcat are affected by the Ghostcat flaw

Ghostcat flaw affects all versions of Apache Tomcat and could be exploited by hackers to read configuration files or install backdoors on vulnerable servers.

All versions of Apache Tomcat are affected by a vulnerability dubbed Ghostcat that could be exploited by attackers to read configuration files or install backdoors on vulnerable servers.

The vulnerability, tracked as CVE-2020-1938, affects the Tomcat AJP protocol and was discovered by the Chinese cybersecurity firm Chaitin Tech.

The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server.

“Ghostcat is a serious vulnerability in Tomcat discovered by security researcher of Chaitin Tech. Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat.” states the website set up to describe the issue. “For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.”

Tomcat Connector allows Tomcat to connect to the outside, it enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request.

By default, Tomcat used two Connectors, the HTTP Connector and the AJP Connector, the latter listens on the server’s port 8009.

The Ghostcat vulnerability in the AJP that can be exploited to either read or write files to a Tomcat server, an attacker could trigger the flaw to access configuration files and steal passwords or API tokens. It can also allow attackers to write files to a server, including malware or web shells.

“By exploiting the Ghostcat vulnerability, an attacker can read the contents of configuration files and source code files of all webapps deployed on Tomcat.”continues the analysis.

“In addition, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution.”

Tomcat versions affected by the Ghostcat vulnerability are:

  • Apache Tomcat 9.x < 9.0.31
  • Apache Tomcat 8.x < 8.5.51
  • Apache Tomcat 7.x < 7.0.100
  • Apache Tomcat 6.x

Chaitin experts discovered the vulnerability in early January, then helped maintainers of the Apache Tomcat project to address the issue.

Security patches were already released for Tomcat 7.xTomcat 8.x, and Tomcat 9.x, Chaitin also released an update to their XRAY scanner to find vulnerable Tomcat servers.

Immediately after the public disclosure of the Ghostcat issue, several experts have shared proof-of-concept exploit scripts[12345] to GitHub.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase