ALERT: Update Apache Tomcat for Ghostcat vulnerability

Tuesday, March 3, 2020

The information below was sent to U-M IT groups on March 3, 2020. It is intended for U-M IT staff who are responsible for university servers with Apache Tomcat installed. This includes servers running Red Hat Linux and other Linux distributions that include Apache Tomcat.

Summary

A vulnerability has been discovered in Apache Tomcat that could allow for reading and writing to files in the webapp directories of Tomcat. Apache Tomcat is an open-source web server that supports running Java code. Depending on the privileges associated with the application, an attacker exploiting the vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Update to the latest version of Apache Tomcat as soon as possible after appropriate testing.

Problem

There is a vulnerability affecting all versions of Apache Tomcat that can be exploited to read or write files to a Tomcat server. Proof-of-concept code has been released to GitHub by multiple security researchers. Mass scanning activity targeting the vulnerability was detected over the weekend of February 29–March 1.

Affected Versions

  • Apache Tomcat 9.x versions less than 9.0.31
  • Apache Tomcat 8.x versions less than 8.5.51
  • Apache Tomcat 7.x versions less than 7.0.100
  • Apache Tomcat 6.x versions (End of life, not patched)
  • Red Hat JBoss Web Server (JWS) versions 3.1.7 and 5.2.0
  • Red Hat JBoss Enterprise Application Platform (EAP) versions 6.x and 7.x
  • Red Hat Enterprise Linux (RHEL) versions 5.x ELS, 6.x, 7.x, and 8.x (as pki-servlet-container, pki-servlet-engine in pki-deps module)
  • Any apps that include Tomcat server

Action Items

Update as soon as possible after appropriate testing. The need for immediate action requires an expedited timeframe that supersedes the remediation timeframes in Vulnerability Management (DS-21). This is particularly important for any systems that allow access from untrusted networks, such as those exposed to access from the internet.

  • Update to the latest version of Apache Tomcat. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
  • Red Hat recommends disabling the Apache JServ Protocol (AJP) connector in Tomcat if not used, or binding it to localhost port, since most of AJP's use is in cluster environments, and the 8009 port should never be exposed on the internet without strict access-control lists. The AJP connector is enabled by default on all Tomcat servers.
  • If the Apache JServ Protocol (AJP) service is not required, disable it on the host.
  • If the AJP service does not need to be publicly accessible, ensure that access is filtered.
  • If your Linux distribution or apps include Tomcat, watch for updates from your vendor and apply them.

Threats

By exploiting the Ghostcat vulnerability, an attacker could read the contents of configuration files and source code files of all webapps deployed on Tomcat. In addition, if the website application allows users to upload files, an attacker could upload a file containing malicious code to the server and execute code remotely. Proof-of-concept code for testing or launching Ghostcat attacks proliferated on GitHub after public disclosure of the vulnerability in late February.  Mass scanning activity targeting the vulnerability was detected over the weekend of February 29–March 1.

Technical Details

  • A vulnerability has been discovered in Apache Tomcat, which could allow for reading of arbitrary files on the affected system. The vulnerability exists in the Apache JServ Protocol (AJP), which is by default exposed over TCP port 8009 and enabled. The vulnerability can be exploited by an attacker who can communicate with the affected AJP protocol service. If the server is running a web application that allows for file uploads, a remote file inclusion vulnerability that could allow for remote code execution becomes exploitable. Successful exploitation of the vulnerability could allow an attacker to read arbitrary files on the affected server. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.
  • Due to the inclusion of Apache Tomcat in Red Hat products, multiple vulnerabilities have been announced in Red Hat products, the most severe of which could allow for reading of arbitrary files on the affected system. CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. CVE-2020-1745 is a vulnerability very similar to CVE-2020-1938 but occurs in Apache Undertow. These vulnerabilities exist in the AJP protocol which is, by default, exposed over TCP port 8009 and enabled. An attacker with the ability to interact with the AJP protocol could exploit these vulnerabilities using specially crafted packets and/or files. Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files on the affected server or, in the case where file upload functionality is enabled, possibly execute code.

Detection

Chinese cybersecurity company Chaitin, which discovered the vulnerability, has made tools available to determine if a server is affected by Ghostcat. See Ghostcat (Chaitin).

How We Protect U-M

  • Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
  • IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • IA provides vulnerability management guidance to the university.

Information for Users

The Ghostcat vulnerability affects servers, so general users will not encounter it.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.