Patch Your Tomcat and JBoss Instances to Protect from GhostCat Vulnerability
March 10, 2020

Chetan Conikee
ShiftLeft

Identified as "GhostCat" and tracked as CVE-2020–1938 / CNVD-2020–10487, the flaw could let remote attackers (without authentication) read the content of any file on a vulnerable web server (or servlet container) and obtain sensitive configuration files or source code, or execute arbitrary code if the server allows file upload.

This means that they can create backdoors, read config files with hardcoded credentials, take over password and tokens to laterally move across other hosted services , or even read or write on any file on a server. It is one of the most serious vulnerabilities detected on Apache Tomcat so far.

Discovered by Chinese cybersecurity company Chaitin Tech, the vulnerability resides in the AJP protocol in Apache Tomcat servlet container. AJP is a highly trusted protocol and should never be exposed to untrusted clients.

AJP (Apache Jserv Protocol) is basically a binary protocol that allows to reverse proxying requests from a FrontEnd Web Server to a BackEnd Application Server, effectively propagating all the needed information to make the Request/Response flow continuing successfully. Often, AJP is used to load balance using sticky-session policies.

Benefits of AJP are:

1. More performant than any HTTP exchange.

2. Integrated with broadly used reverse-proxying modules (i.e. mod_jk, mod_proxy).

3. Tomcat's implementation provides a rich set of APIs that is protocol transversal: HTTP(s) data is seamlessly propagated, and can be retrieved with simple API calls, so it's like working with HTTP at a higher speed.

The AJP protocol is enabled by default, with the AJP connector listening in TCP port

8009

and bound to IP address

0.0.0.0.

A remote, unauthenticated/untrusted attacker could exploit this AJP configuration to read web application files from a server exposing the AJP port to untrusted clients. In instances where a poorly configured server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types to gain remote code execution (RCE).

A BinaryEdgebased search indicates that there are over 1MM tomcat servers online.


Credit: BinaryEdge based search

As per a Onyphescan there are more than 170,000 devices exposing an AJP Connector responding to an AJP13 requests

Credit: Onyphe

Shodan indicates that there are approximately 198,290 servers with exposed AJP port (8009) in USA.

Credit: Shodan

Several proof of concepts available online and exponentially growing as we speak; especially on GitHub [1, 2, 3, 4, 5].

Are You Vulnerable?

If your infrastructure encompasses any component built using or deployed upon:

■ Apache Tomcat (6.x , 7.x

■ Spring Boot Java framework that is bundled with pre-included Tomcat server

■ JBossWeb Server (3.1.7 / 5.2.0)

■ JBoss EAP (6.x / 7.x)

■ Red Hat Enterprise Linux (5.x ELS, 6.x, 7.x, 8.x with

pki-servlet-container, pki-servlet-engine in pki-deps

module

■ Verify your firewall and reverse proxy config to identify if AJP conduit is exposed

Mitigation

1. Upgrade to latest version of Apache Tomcat 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability

2. For Tomcat based deployments, If your service is not using AJP connecter then disable by it out from the

/conf/server.xml

3. For Tomcat based deployments ,if AJP connector is required and cannot be deactivated, then upgrade and to set a secret password for the AJP conduit. Edit

conf/server.xml

requiredSecret="YOUR_AJP_SECRET" />

4. For JBoss based deployments, verify and edit the default AJP connector which is enabled by default only in

standalone-full-ha.xml, standalone-ha.xml, ha, full-ha

profiles in

domain.xml

5. For JBoss based deployments, if AJP connector is a requirement and cannot be deactivated, then add credential to AJP conduit

Proactive Security

You may be confident that your perimeter defenses are robust enough to pick up on most such threats. However adversaries have long known how reactive cybersecurity tools work — and they make it their mission to circumvent them.

Besides scanning your configurations and OSS dependencies, it is critical to understand how your application's logic uses its OSS dependencies and frameworks that it is deployed upon.

Chetan Conikee is Founder and CTO of ShiftLeft
Share this

Industry News

March 26, 2020

Redgate’s new SQL Monitor now ensures that DevOps teams can monitor and track deployments at all times.

March 26, 2020

Split Software announced a two-way data integration with Google Analytics that can instantly detect performance issues caused by new features.

March 26, 2020

Cloudreach earned the Kubernetes on Microsoft Azure advanced specialization.

March 25, 2020

Informatica updated its Intelligent Data Platform, powered by Informatica's AI-powered CLAIRE engine, with advanced intelligence and automation capabilities, enabling enterprises to accelerate cloud analytics modernization, drive better customer experiences, and properly govern and manage all their data.

March 25, 2020

Datical released Targeted Rollback capabilities for Liquibase, the rapidly growing open-source tool that helps application developers track, version and deploy database schema changes quickly and safely.

March 25, 2020

HashiCorp raised $175 million in Series E funding, at a company valuation of $5.1 billion.

March 24, 2020

Sysdig launched PromCat.io.

March 24, 2020

Sonatype announced expanded language coverage within Nexus Lifecycle to include Conan (C/C++), Composer (PHP), and RubyGems (Ruby), including the ability to create and contextually enforce policies.

March 24, 2020

Swimlane joined the Chronicle Index Partner program as part of a broader industry effort to help customers improve visibility of and response to cyber threats.

March 23, 2020

Portshift introduced Kubei Open Source container scanning software.

March 23, 2020

Perspecta achieved Amazon Web Services (AWS) DevOps Competency status.

March 23, 2020

Talend announced the availability of Talend Cloud in Microsoft Azure Marketplace, an online store providing applications and services for use on Azure.

March 19, 2020

DevOps Institute, a global member-based association for advancing the human elements of DevOps, announced eight Virtual SKILup Day micro-conferences starting April 30, 2020.

March 19, 2020

Oteemo, an enterprise DevSecOps and Cloud Native Transformation consultancy, launched an enterprise kubernetes and cloud native learning program.

March 19, 2020

Spectro Cloud, an enterprise cloud-native infrastructure company, emerged from stealth and unveiled its first product: Spectro Cloud.