A new vulnerability dubbed Ghostcat is affecting Apache Tomcat AJP Protocol. The vulnerability can read configuration and source code files.
The vulnerability dubbed as Ghostcat was discovered by the Chinese cybersecurity company, Chaitin Tech. Ghostcat is capable of reading configuration and source code files to a Tomcat server; it is also capable of installing backdoors on servers with vulnerability.
Apache Tomcat is an open-source program of Java that provides a pure Java HTTP web server environment for java codes to run in.
“, if the website application allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be any type of file, such as pictures, plain text files etc.), and then include the uploaded file by exploiting the Ghostcat vulnerability, which finally can result in remote code execution.” Chaitin Tech experts say.
All versions of Tomcat 9/8/7/6 released in the last 13 years are reported to be affected by Ghostcat.
Tomcat is configured with two Connectors; HTTP Connector and AJP Connector.
Apache JServ Protocol (AJP) is a binary protocol of HTTP that allows communications from a web server with the servlet container that is placed behind the web server.
Since AJP Connector is enabled by default. It is reported that more than 170,000 devices could be exposed to this flaw.
If the AJP Connector is enabled and attackers could gain access over it, they can exploit the Ghostcat vulnerability.
The Tomcat versions affected with the Ghostcat vulnerability include:
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
Apache Tomcat 6.x
in addition to reading configuration files, attackers can exploit this vulnerability to steal API tokens and passcodes and also write files to a server such as malware.
To fix this vulnerability, Tomcat released patches 9.0.31, 8.5.51, and 7.0.100.
Secure Your Organization’s Mind with Securemind.se