![]() ![]() It is recommended to upgrade to patched versions of Apache Tomcat Web Servers:Īdditional detection and remediation details are described in Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR.A vulnerability in the popular Apache Tomcat web server is ripe for active attack, thanks to a proof-of-concept (PoC) exploit making an appearance on GitHub. Note Tomcat documentation clearly states the default value for the attribute is null. In this case, Tomcat will instantiate the AJP connector only when this attribute is specified with non-null and non-zero values. Regardless of whether you disable AJP, we also recommend to define the strong secret key attribute requiredSecret in server.xml, which sets AJP protocol authentication credentials and ensures that only requests from authenticated workers will be honored. Restart Apache Web Server for changes to take effect. Remediation Guidanceĭisable port 8009 by commenting out (or deleting) the block of code that enables this vulnerability. This requires immediate attention if you are using AJP and a vulnerable version of Apache Tomcat. This will lead to the possibility of Remote Code Execution, allowing attacker to take complete take over of the web server. The vulnerability becomes more critical when the application allows file uploads. We also recommend to enable the following two QIDs in Qualys Web Application Scanning: We take into consideration that AJP is a binary version of HTTP and could not be requested over HTTP, hence the detection of the vulnerable server is determined based on the presence of Tomcat version and the fact that it is shipped with default configurations. To keep it simple, our scan will not attempt to actively determine the vulnerability by uploading an arbitrary file. The WAS scan will report QID 150282 as a potential vulnerability. Identifying CVE-2020-1938 Vulnerability using WAS scanĮnable QID 150282 in your Qualys WAS option profiles to identify if you are running a vulnerable version of Apache Tomcat. Tomcat has fix this vulnerability ,UPDATE! /Jauc5zPF3a You can read any webapps files or include a file to RCE. If arbitrary file upload is not disabled, it is then possible for the attacker to upload malicious code to the web server that enables remote code execution. With this vulnerability, an attacker can easily gain access to configuration files if the protocol is publicly available. The Apache Tomcat AJP File Inclusion vulnerability (CVE-2020-1938) is exploitable only if port 8009 is exposed and AJP is installed.Īffected Apache Tomcat versions will get reported under the Qualys WAS detection (see details of the detection below). As you would learn through reading server.xml, connector port 8009 is not commented and is explicitly enabled by default. Look for the server.xml configuration file that specifies all the default protocols and the document root directory configuration. The most common way to identify whether the protocol is indeed enabled is to first locate the web server’s conf/ directory. It is primarily used as a reverse proxy to communicate with application servers. Anytime the web server is started, AJP protocol is started on port 8009. This protocol is binary and is enabled by default. Apache JServ Protocol (AJP) is used for communication between Tomcat and Apache web server. About CVE-2020-1938Īpache Tomcat web servers are widely used for deploying Java-based web applications. ![]() This new Qualys WAS detection complements the detection that uses Qualys VMDR®. This blog post details how web application security teams can detect this vulnerability using Qualys Web Application Scanning (WAS). The Chinese cyber security company Chaitin Tech discovered the vulnerability, named “Ghostcat”, which is tracked using CVE-2020-1938 and rated critical severity with a CVSS v3 score of 9.8. As previously reported, a severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |