This week's book giveaway is in the Cloud/Virtualization forum.
We're giving away four copies of Building Blockchain Apps and have Michael Yuan on-line!
See this thread for details.
Win a copy of Building Blockchain Apps this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

! Ghostcat: Tomcat AJP Vulnerabilty

Saloon Keeper
Posts: 3027
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was listening to Security Now this morning and there was a story about a vulnerability with Tomcat versions 7.X through 9.X.  

You can see/hear the story here:

The issue is related to the AJP interface on TCP port 8009, and is described in CVE-2020-1938.  While I was listening, I thought that the it was probably being overstated because it would be unlikely that anyone would have Tomcat directly exposed to the Internet, but later I wondered if it could be an issue in deployments where Tomcat was fronted by reverse-proxy using AJP such as the Apache HTTPd + mod_proxy_ajp.

Has anyone looked at this?
Posts: 21756
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While I'm not totally clear, it sounds like you could upload a JSP via the AJP connector and if the webapp designer were idiot enough to store uploaded files within the WAR that the uploaded JSP could then be executed as though it was a legitimate part of the WAR application.

It does sound like Apache could be used for exploitation from remote sources in such cases.

But I've told people for years never to upload or write files into a WAR. Even absent the security risks, it doesn't work unless the WAR has been exploded (which, alas, is Tomcat's default), and potentially valuable files can get lost by a simple software upgrade.

I would definitely upgrade, but again, no well-designed webapp should be storing data of any kind within the WAR directory, or for that matter within any directory that's part of the Tomcat server.
Without subsidies, chem-ag food costs four times more than organic. Or this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!