Ghostcat vulnerabliity
March 4, 2020

GhostCat Vulnerability in Apache Tomcat: What You Need to Know

Security
Open Source

The GhostCat vulnerability was recently found in Apache Tomcat. Here's everything you need to know about the GhostCat vulnerability and how to prevent it.

What Is the GhostCat Vulnerability?

GhostCat is a vulnerability in Apache TomCat with a serious security flaw. It is designated by Mitre as CVE-2020-1938. this vulnerability affects versions of Tomcat prior to 9.0. This vulnerability is serious — but GhostCat is also easily fixable.

You may have heard about it or have been affected by the GhostCat vulnerability already. How can you prevent your Apache Tomcat web server from being affected? 

If you are forced to use AJP or the Apache JServ Protocol, you will be vulnerable. Very few situations require the use of a binary protocol. If you are proxying to your server via the AJP port, enable the HTTP port and proxy traffic using the HTTP (or HTTPS) protocol. The key step is to disable the AJP port. 

Are You at Risk for the GhostCat Vulnerability?

Checking the log file (catalina.out by default, or the service name if running on Windows) or the configuration file is the best way to determine if the server is vulnerable.

The log file has an entry for initializing protocols, with the package:

org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler

The entry for the AJP protocol looks like this:

org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-xxxxxxxxxxx -8009"]

8009 is the default port for the AJP protocol endpoint.  If there is an entry in your log file that includes “ajp” and “initializing”, the server is vulnerable.

Also, check the server.xml file. The endpoint for AJP is enabled or disabled in the server.xml file.

Below we see the default example that ships with the server.xml in the 9.0.31 release. AJP is disabled by default. 

   <!-- Define an AJP 1.3 Connector on port 8009 -->
   <!--
   <Connector protocol="AJP/1.3"
              address="::1"
              port="8009"
              redirectPort="8443" />
   -->


How to Fix the GhostCat Vulnerability

In order to prevent unauthorized access, simply disable the AJP endpoint. This is done by deleting or commenting out the entry in the server.xml file. 

Firewalls will also assist with preventing access to the server. If traffic is blocked on the default AJP port, port 8009, there is no way to leverage this vulnerability. 

After updating the server.xml the server will require a restart. When the server starts, ensure AJP is not enabled by watching the log file. During the initialization of protocols, AJP should not be there, just HTTP, and/or HTTPS. 

Scanning for open ports on the Tomcat server will also indicate if there is an AJP port open.

Get Help Fixing the GhostCat Vulnerability

If you would like to know more or have questions, please feel free to email me, [email protected]

Our team at OpenLogic by Perforce is also ready to help you get your Apache Tomcat servers secure and supported. We can help you prevent vulnerabilities like GhostCat. And we can help you establish the processes you need to avoid these vulnerabilities in the future.

Connect with an open source expert today to learn how we can help you.

TALK TO A GHOSTCAT EXPERT

 

 

Prevent More Vulnerabilities

GhostCat isn't the only open source vulnerability you need to worry about. In our recent webinar, Application Security Basics, we shared strategies for mitigating security risks, including:

  • Common terminology and standards.
  • Ways to think about application security as part of your process.
  • Common vulnerability categories with their mitigations.
  • Resources for more information.

Watch the Webinar