This report is about a vulnerability given the identification of CVE-2020-1938 which affects the Apache Tomcat software package. Apache Tomcat is a Java-based program that allows website maintainers to serve content with the Java programming language. CVE-2020-1938 has been addressed by the Apache Tomcat maintainers with a patch, but patch availability depends on the version you’re running. CVE-2020-1938 has been given the name of GhostCat by the security community.
The vulnerability is caused by the AJP connector within the Java Servlet being unable to process the read/inclusion of file inputs. The reason this can occur is due to the default configuration inside Servlet having 0.0.0.0:8009 hardcoded (does redirect to port 8443). This allows a remote attacker to read Java application files and potentially perform remote code execution via customized Java (.jar or similar file type) application to be uploaded to the server if file uploading is enabled in the server configuration. Potential bad actors can exploit this vulnerability without the need to authenticate. The AJP connector is enabled by default in all Apache Tomcat versions making them likely to be vulnerable to exploitation with an exception for patched versions of the software.
Here is a guide to mapping your systems to the patches currently available:
May affect a wide variety of web servers as Apache Tomcat comes bundled with a lot of other software packages/repositories.
It’s highly encouraged that you implement one of the patches available please, refer to the table above in the TTPs (Tactics, Techniques, and Procedures) section. If you cannot implement the patch for any business-related reason, consider reviewing the options below.
Note: The Avertium Threat Report analyzes one current threat that has been shared by threat intelligence networks across the globe. Used internally by the Avertium CyberOps Team, this report will outline a “top-of-mind” threat and how it ought to be addressed accordingly.
This informed analysis is based on the latest data available.
Contact us for more information about Avertium’s managed detection and response service capabilities.