Understanding the Ghost Cat Vulnerability (CVE-2020–1938)
The Ghost Cat vulnerability is a new vulnerability that is gaining traction. In this article, I will describe the vulnerability, the impact, and what can be done to fix the vulnerability on Tomcat servers.
What is Ghost Cat?
Ghost Cat is a vulnerability that affects Apache Tomcat. It currently affects versions before 9.0.31, before 8.5.51, and before 7.0.100. It is caused by an inseucre configuration of the AJP protocol in the default installation of Tomcat, leading to attackers being able to cause information disclosure, and potentially remote code execution.
What is AJP?
AJP stands for Apache Jserv Protocol, and it is used as an optimized version of the HTTP protocol in binary form. It can be used to reduce the processing costs related to HTTP requests, and is mostly used in scenarios that require clustering or reverse proxies.
By default, AJP is enabled in Apache Tomcat, and is set to listen on port 8009. This port can be changed in the configuration file, but it is most commonly found on port 8009.
How can I determine if AJP is enabled?
There are two main ways to determine if AJP is enabled. The first is to check the server.xml file located in the Tomcat configuration folder. If AJP is enabled, the port and protocol will be listed in the file, as shown in the screenshot below.
If it is not enabled, this line will be commented out, or it will not appear in the configuration file.
Another way to detect if AJP is enabled is by doing an nmap scan of the server. Using a command like nmap -T4 -A -v <SERVER IP> will reveal if port 8009 is open, and if it uses the AJP protocol.
Why does this vulnerability exist?
By default, Tomcat treats AJP connections as having a higher level of trust, when compared to HTTP connections. When AJP is implemented correctly, the protocol requires a secret, which is required by anyone who queries the protocol. When using the default Tomcat configuration, this secret is not enabled, meaning that no security check is done to requests coming into port 8009. This means that an unauthenticated attacker can access the port to read or potentially write to the server
What is the impact of this vulnerability?
In most cases, this vulnerability will allow an attacker to read any resources that exist on the Tomcat server. This means that any server or configuration files could be leaked. The severity of this varies based on what is contained in the source code and configuration files.
The worst case of this attack occurs when an application allowsa user to upload files. In this case, an attacker can upload a malicious jsp file, and access it with their browser, resulting in remote code execution. This type of attack can result in a full compromise of the affected server.
How can this vulnerability be patched?
The easiest way to fix this vulnerability is by updating your Apache Tomcat version to 9.0.31 or 8.5.51, or 7.0.100.
If you currently do not use AJP, you can also comment out the port in the server.xml file. This will ensure that traffic over port 8009 is not accepted, mitigating the attack.
If you do use AJP and cannot update Tomcat, the next best thing is to add a secret to your AJP configuration. This will ensure that anyone accessing the port needs to be authenticating before accessing it. In addition, firewall rules can be used to restrict access to the port if it is only used internally, or by specific processes.
