• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Bear Bibeault
  • Ron McLeod
  • Jeanne Boyarsky
  • Paul Clapham
  • Tim Cooke
  • Liutauras Vilda
  • Junilu Lacar
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Tim Holloway
  • fred rosenberger
  • salvin francis
  • Piet Souris
  • Frits Walraven
  • Carey Brown

Ghostcat: Tomcat AJP Vulnerabilty

Posts: 3149
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was listening to Security Now this morning and there was a story about a vulnerability with Tomcat versions 7.X through 9.X.  

You can see/hear the story here:

The issue is related to the AJP interface on TCP port 8009, and is described in CVE-2020-1938.  While I was listening, I thought that the it was probably being overstated because it would be unlikely that anyone would have Tomcat directly exposed to the Internet, but later I wondered if it could be an issue in deployments where Tomcat was fronted by reverse-proxy using AJP such as the Apache HTTPd + mod_proxy_ajp.

Has anyone looked at this?
Saloon Keeper
Posts: 22273
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While I'm not totally clear, it sounds like you could upload a JSP via the AJP connector and if the webapp designer were idiot enough to store uploaded files within the WAR that the uploaded JSP could then be executed as though it was a legitimate part of the WAR application.

It does sound like Apache could be used for exploitation from remote sources in such cases.

But I've told people for years never to upload or write files into a WAR. Even absent the security risks, it doesn't work unless the WAR has been exploded (which, alas, is Tomcat's default), and potentially valuable files can get lost by a simple software upgrade.

I would definitely upgrade, but again, no well-designed webapp should be storing data of any kind within the WAR directory, or for that matter within any directory that's part of the Tomcat server.
If you settle for what they are giving you, you deserve what you get. Fight for this tiny ad!
Thread Boost feature
    Bookmark Topic Watch Topic
  • New Topic