What is Apache AJP and Ghostcat
Recently, there are new vulnerabilities that been discovered by Chinese cybersecurity firm Chaitin Tech related to Apache AJP protocol. The vulnerabilities have been given codename Ghostcat (CVE-2020-1938) where it will impact all older versions of Apache Tomcat that been released 13 years ago.
For those who are not familiar with the Apache AJP server, AJP stands for Apache Jserv Protocol and it is normally used for a performance-optimized version of the HTTP protocol. Apache Tomcat AJP will use the port 8009 for listening Apache server by default.
Source: Apache JServ Protocol
What Ghostcat can do to your Apache?
This vulnerability will allow the attacker to read all the configuration contents files that been deployed within the Apache Tomcat. The vulnerabilities can become more dangerous if the website application that uses Apache Tomcat allows public or unknown people to upload any files into the Server especially the JSP file.
Even though the upload section has been restricted only upload files without JSP format into it, the attacker can still rename the file to ensure that the server accepted the file.
The affected Apache version would be :
- Apache Tomcat 9.x < 9.0.31
- Apache Tomcat 8.x < 8.5.51
- Apache Tomcat 7.x < 7.0.100
- Apache Tomcat 6.x
For the vulnerabilities to be fixed by the System Administrator or Developer, they need to comment out or remove the following the line from the file such as :<CATALINA_BASE>/conf/server.xm
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
How to comment out the line above in Apache would look something like follows:
<!--Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />-->
Reminder: The recommendation above is not coming from myself and all the credit will go here