GhostCat Vulnerability in Apache Tomcat: What You Need to Know
The GhostCat vulnerability was recently found in Apache Tomcat. Here's everything you need to know about the GhostCat vulnerability, including available patches, workarounds, and how to get help if needed.
Note From the Editor:While GhostCat is relatively old news now, teams still need to remain vigilant in patching their Tomcat versions for known CVEs. If you need help patching your Tomcat builds, please reach out to our team via the form on our Tomcat support page.Back to top
What Is the GhostCat Vulnerability?
GhostCat is a vulnerability in Apache TomCat with a serious security flaw. It is designated by Mitre as CVE-2020-1938. this vulnerability affects versions of Tomcat prior to 9.0. This vulnerability is serious — but GhostCat is also easily fixable.
You may have heard about it or have been affected by the GhostCat vulnerability already. How can you prevent your Apache Tomcat web server from being affected?
If you are forced to use AJP or the Apache JServ Protocol, you will be vulnerable. Very few situations require the use of a binary protocol. If you are proxying to your server via the AJP port, enable the HTTP port and proxy traffic using the HTTP (or HTTPS) protocol. The key step is to disable the AJP port.
Want to Improve Your Tomcat Security?
Read our new Enterprise Guide to Apache Tomcat for a full range of Tomcat security best practices, with additional sections on performance, resilience, clustering, and more.
Back to top
Are You at Risk for the GhostCat Vulnerability?
Checking the log file (catalina.out by default, or the service name if running on Windows) or the configuration file is the best way to determine if the server is vulnerable.
The log file has an entry for initializing protocols, with the package:
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
The entry for the AJP protocol looks like this:
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-xxxxxxxxxxx -8009"]
8009 is the default port for the AJP protocol endpoint. If there is an entry in your log file that includes “ajp” and “initializing”, the server is vulnerable.
Also, check the server.xml file. The endpoint for AJP is enabled or disabled in the server.xml file.
Below we see the default example that ships with the server.xml in the 9.0.31 release. AJP is disabled by default.
Back to top
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> -->
How to Fix the GhostCat Vulnerability
In order to prevent unauthorized access, simply disable the AJP endpoint. This is done by deleting or commenting out the entry in the server.xml file.
Firewalls will also assist with preventing access to the server. If traffic is blocked on the default AJP port, port 8009, there is no way to leverage this vulnerability.
After updating the server.xml the server will require a restart. When the server starts, ensure AJP is not enabled by watching the log file. During the initialization of protocols, AJP should not be there, just HTTP, and/or HTTPS.
Scanning for open ports on the Tomcat server will also indicate if there is an AJP port open.Back to top
Get Help Fixing the GhostCat Vulnerability
Our team at OpenLogic by Perforce is ready to help you get your Apache Tomcat servers secure and supported. We can help you prevent vulnerabilities like GhostCat. And we can help you establish the processes you need to avoid these vulnerabilities in the future.
Connect with an open source expert today to learn how we can help you.
Prevent More Vulnerabilities
GhostCat isn't the only open source vulnerability you need to worry about. In our recent webinar, Application Security Basics, we shared strategies for mitigating security risks, including:
- Common terminology and standards.
- Ways to think about application security as part of your process.
- Common vulnerability categories with their mitigations.
- Resources for more information.