Ghostcat (CVE-2020-1938), a brand-new file inclusion vulnerability in Apache Tomcat
Recently, a new vulnerability on Apache Tomcat AJP connector was disclosed.
The flaw was discovered by a security researcher of Chaitin Tech  and allows a remote attacker to read any webapps files or include a file.
The AJP Connector
The AJP Connector  is generally used to manage (internal) requests, usually on port 8009, coming for example from an Apache HTTP Server.
The vulnerability (CVE-2020-1938) could be remotely exploited if port 8009 is publicly exposed.
CVE-2020-1938 is NOT a default Remote Code Execution vul. It is a LFI. So, IF you can:
1) upload files via an APP feature &
2) these files are saved inside the document root (eg. webapps/APP/… &
3) reach the AJP port directly;
Thus, it can be turned in RCE.
PoC and Detection tool
A Proof-of-Concept for the vulnerability has been realeased on Github , without any additional details.
Furthermore, researcher also published an “online detection tool”  useful to remotely check vulnerability.
Which Tomcat versions are affected?
- Tomcat 6 (no longer maintained)
- Tomcat 7.x < 7.0.100
- Tomcat 8.x < 8.5.51
- Tomcat 9.x < 9.0.31
Is there a fix?
To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:
– If no cluster or reverse proxy is used, you can basically determine that AJP is not used.
– Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.
For additional details about fixing, please refer to the advisory .
As usual, update ASAP (and check port 8009 exposure)!
- CVE-2020-1938: Ghostcat vulnerability
- Apache Tomcat 8 Configuration Reference (8.0.53) – The AJP Connector