This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java and have Dr. Raoul-Gabriel Urma & Richard Warburton on-line!
See this thread for details.
Win a copy of Real-World Software Development: A Project-Driven Guide to Fundamentals in Java this week in the Agile and Other Processes forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Liutauras Vilda
  • Knute Snortum
  • Bear Bibeault
Sheriffs:
  • Devaka Cooray
  • Jeanne Boyarsky
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
  • salvin francis
Bartenders:
  • Tim Holloway
  • Piet Souris
  • Frits Walraven

!! Ghostcat: Tomcat AJP Vulnerabilty

 
Saloon Keeper
Posts: 3026
407
Android Eclipse IDE Angular Framework MySQL Database TypeScript Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was listening to Security Now this morning and there was a story about a vulnerability with Tomcat versions 7.X through 9.X.  

You can see/hear the story here:



The issue is related to the AJP interface on TCP port 8009, and is described in CVE-2020-1938.  While I was listening, I thought that the it was probably being overstated because it would be unlikely that anyone would have Tomcat directly exposed to the Internet, but later I wondered if it could be an issue in deployments where Tomcat was fronted by reverse-proxy using AJP such as the Apache HTTPd + mod_proxy_ajp.

Has anyone looked at this?
 
Bartender
Posts: 21720
148
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
While I'm not totally clear, it sounds like you could upload a JSP via the AJP connector and if the webapp designer were idiot enough to store uploaded files within the WAR that the uploaded JSP could then be executed as though it was a legitimate part of the WAR application.

It does sound like Apache could be used for exploitation from remote sources in such cases.

But I've told people for years never to upload or write files into a WAR. Even absent the security risks, it doesn't work unless the WAR has been exploded (which, alas, is Tomcat's default), and potentially valuable files can get lost by a simple software upgrade.

I would definitely upgrade, but again, no well-designed webapp should be storing data of any kind within the WAR directory, or for that matter within any directory that's part of the Tomcat server.
 
I'm THIS CLOSE to ruling the world! Right after reading this tiny ad:
Java file APIs (DOC, XLS, PDF, and many more)
https://products.aspose.com/total/java
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!