Ghostcat breach affects all Tomcat versions

Written by:

February 26, 2020

0 mins read

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and Java WebSocket technologies. Tomcat is one of the most popular Java HTTP web server environments and was released in 1998.

Ghostcat is a high severity vulnerability in Tomcat discovered by the security researchers of Chaitin Tech on January 3rd. On February 20, the China National Vulnerability Database (CNVD) published a security advisory for this issue with the number CNVD-2020-10487.

The vulnerability was found in the Apache JServ Protocol (AJP). The issue is that this binary protocol allows an attacker to read or include any file into Tomcat webapp directories.

AJP Connector

The vulnerability allows an attacker to read the contents of the web application files. If the web application allows file upload, the attacker is also able to upload any files to the server including malicious Java Server Pages (JSP) that enable remote code execution on the server.



Apache Tomcat already released patched versions for Tomcat 7, 8, and 9:

The Chaitin researchers are suggesting that if you use the patch, you also add a proper secret to you connector configuration in the /conf/server.xml file.

1<Connector port="8009" protocol="AJP/1.3" 

When patching is not an option, there are some other ways to mitigate this issue, according to the Chaitin researchers.

If you are not using the AJP Connector you can safely comment out or delete the declaration of the AJP Connector in the /conf/server.xml file.

1<!--<Connector port="8009" protocol="AJP/1.3" 
2redirectPort="8443" />-->

If you do use the AJP Connector and updating to the patched version is not an option, add a requiredSecret field with a safe, not easy to guess secret.

1<Connector port="8009" protocol="AJP/1.3" 

Spring Boot

The latest version of the JVM Ecosystem report shows that Spring Boot is the most widely used server-side framework within the ecosystem. Spring Boot uses an embedded web server and, by default, the embedded version of Tomcat is used. It is possible that the spring-boot-starter-web introduced a vulnerable version of the embedded apache tomcat package into your system.

Edited Mar 2, 2020

It is good to know that by default, Spring Boot does not create an AJP connector out the box. This means that with the default settings an attacker cannot exploit this vulnerability. However, Spring Boot can be configured differently. Depending on your configuration you should check if you’re vulnerable and take appropriate measures.

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo