I was listening to Security Now this morning and there was a story about a vulnerability with Tomcat versions 7.X through 9.X.
You can see/hear the story here:
The issue is related to the AJP interface on TCP port 8009, and is described in CVE-2020-1938. While I was listening, I thought that the it was probably being overstated because it would be unlikely that anyone would have Tomcat directly exposed to the Internet, but later I wondered if it could be an issue in deployments where Tomcat was fronted by reverse-proxy using AJP such as the Apache HTTPd + mod_proxy_ajp.
While I'm not totally clear, it sounds like you could upload a JSP via the AJP connector and if the webapp designer were idiot enough to store uploaded files within the WAR that the uploaded JSP could then be executed as though it was a legitimate part of the WAR application.
It does sound like Apache could be used for exploitation from remote sources in such cases.
But I've told people for years never to upload or write files into a WAR. Even absent the security risks, it doesn't work unless the WAR has been exploded (which, alas, is Tomcat's default), and potentially valuable files can get lost by a simple software upgrade.
I would definitely upgrade, but again, no well-designed webapp should be storing data of any kind within the WAR directory, or for that matter within any directory that's part of the Tomcat server.
"privilege" comes from the Latin words for "private" and "law" (legal) and dates to feudal times. To "claim privilege" meant that you were above the laws that applied to the common people.
If you settle for what they are giving you, you deserve what you get. Fight for this tiny ad!