2020-02-29 Apache JServ Protocol (AJP) (CVE-2020-1938)
On February 29th, a vulnerability affecting Apache Tomcat were publicly disclosed:
- Apache JServ Protocol (AJP) (CVE-2020-1938)
This CVE describes an issue in AJP (Apache JServ Protocol) that can be exploited to either read or write files to a Tomcat server. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. This connector is enabled by default on all Tomcat servers and listens on the server’s port 8009, bounded to the 0.0.0.0 IP address.
In addition, application’s configuration files could be read, and passwords or API tokens stolen creating backdoors or web shells. This attack is exploitable via network with low attack complexity and without the required privileges as well as without the need for user interaction.
More info about this issue and the exact changes at the Apache Tomcat official site.
Check the Apache Tomcat version that you are currently using. The following versions are vulnerable and allow malicious users to exploit it:
- 7.0.0 to 7.0.99
- 8.5.0 to 8.5.50
- 9.0.0.M1 to 9.0.30
How to patch it
Update Apache Tomcat version to 7.0.100, 8.5.51 or 9.0.31.
We also recommend to not expose the AJP port externally to avoid being affected by this issue.