The GhostCat vulnerability was recently found in Apache Tomcat. Here's everything you need to know about the GhostCat vulnerability and how to prevent it.
GhostCat is a vulnerability in Apache TomCat with a serious security flaw. It is designated by Mitre as CVE-2020-1938. this vulnerability affects versions of Tomcat prior to 9.0. This vulnerability is serious — but GhostCat is also easily fixable.
You may have heard about it or have been affected by the GhostCat vulnerability already. How can you prevent your Apache Tomcat web server from being affected?
If you are forced to use AJP or the Apache JServ Protocol, you will be vulnerable. Very few situations require the use of a binary protocol. If you are proxying to your server via the AJP port, enable the HTTP port and proxy traffic using the HTTP (or HTTPS) protocol. The key step is to disable the AJP port.
Checking the log file (catalina.out by default, or the service name if running on Windows) or the configuration file is the best way to determine if the server is vulnerable.
The log file has an entry for initializing protocols, with the package:
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
The entry for the AJP protocol looks like this:
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-xxxxxxxxxxx -8009"]
8009 is the default port for the AJP protocol endpoint. If there is an entry in your log file that includes “ajp” and “initializing”, the server is vulnerable.
Also, check the server.xml file. The endpoint for AJP is enabled or disabled in the server.xml file.
Below we see the default example that ships with the server.xml in the 9.0.31 release. AJP is disabled by default.
<!-- Define an AJP 1.3 Connector on port 8009 -->
In order to prevent unauthorized access, simply disable the AJP endpoint. This is done by deleting or commenting out the entry in the server.xml file.
Firewalls will also assist with preventing access to the server. If traffic is blocked on the default AJP port, port 8009, there is no way to leverage this vulnerability.
After updating the server.xml the server will require a restart. When the server starts, ensure AJP is not enabled by watching the log file. During the initialization of protocols, AJP should not be there, just HTTP, and/or HTTPS.
Scanning for open ports on the Tomcat server will also indicate if there is an AJP port open.
If you would like to know more or have questions, please feel free to email me, [email protected].
Our team at OpenLogic by Perforce is also ready to help you get your Apache Tomcat servers secure and supported. We can help you prevent vulnerabilities like GhostCat. And we can help you establish the processes you need to avoid these vulnerabilities in the future.
Connect with an open source expert today to learn how we can help you.
TALK TO A GHOSTCAT EXPERT
GhostCat isn't the only open source vulnerability you need to worry about. In our recent webinar, Application Security Basics, we shared strategies for mitigating security risks, including:
Watch the Webinar
Enterprise Solutions Architect, OpenLogic by Perforce
Andrew has been working in the IT industry since 1996, ranging from hardware and networking to application development. Andrew’s #1 specialty is Apache Tomcat, and he is recognized in the Tomcat community as a subject matter expert, assisting the Tomcat open source project in many ways.