general

Security Notices

2020-02-29 Apache JServ Protocol (AJP) (CVE-2020-1938)

On February 29th, a vulnerability affecting Apache Tomcat were publicly disclosed:

This CVE describes an issue in AJP (Apache JServ Protocol) that can be exploited to either read or write files to a Tomcat server. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. This connector is enabled by default on all Tomcat servers and listens on the server’s port 8009, bounded to the 0.0.0.0 IP address.

In addition, application’s configuration files could be read, and passwords or API tokens stolen creating backdoors or web shells. This attack is exploitable via network with low attack complexity and without the required privileges as well as without the need for user interaction.

More info about this issue and the exact changes at the Apache Tomcat official site.

Affected platforms

Check the Apache Tomcat version that you are currently using. The following versions are vulnerable and allow malicious users to exploit it:

  • 7.0.0 to 7.0.99
  • 8.5.0 to 8.5.50
  • 9.0.0.M1 to 9.0.30

How to patch it

Update Apache Tomcat version to 7.0.100, 8.5.51 or 9.0.31.

We also recommend to not expose the AJP port externally to avoid being affected by this issue.

Last modification April 17, 2020