Patch Your Tomcat and JBoss Instances to Mitigate New High-Risk GhostCat Vulnerability

  • This newly discovered vulnerability can allow malicious attackers to take over unpatched systems. 
  • The vulnerability is tracked as CVE-2020-1938.

Apache Tomcat servers released in the last 13 years are vulnerable to a high-risk vulnerability called GhostCat. This newly discovered vulnerability can allow malicious attackers to take over unpatched systems.

About the flaw
Discovered by a Chinese cybersecurity firm Chaitin Tech, GhostCat is a flaw in the Tomcat AJP protocol. The vulnerability is tracked as CVE-2020-1938.

GhostCat vulnerability can let remote attackers read the content of any file on a vulnerable web server or servlet container and obtain sensitive configuration file or source code. The flaw can also be exploited to execute code if the server allows file upload.

“Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, An attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability,” explained researchers in a blog post.

Which versions are affected?
The GhostCat vulnerability affects all 6.x, 7.x, 8.x, and 9.x Tomcat branches. The flaw can be exploited if the AJP Connector is enabled and the attacker can access the AJP Connector service port.

How to fix it?
Apache Tomcat has released version 9.0.31, 8.5.51, and 7.0.100 to fix the vulnerability. In order to fix the vulnerability correctly, one must first determine if the Tomcat AJP Connector service is used in their server environment.