Chinese security researchers have discovered on the Apache-Tomcat as a web server, or on the container, written in Java, and web-based applications in a breach-of-security-review. In the name of “Ghostcat, in accordance with the gap in the Tomcat binary that is used by the communication Protocol. The Apache JServ Protocol (AJP).
A remote attacker may need to do a gap for you to read in arbitrary files in the Web-App’s directory, such as configuration files or source code) to access it. If the applications are on the Server, it is also possible to send the file, that is, in some cases, the execution of the program code by an attacker (Remote Code Execution), it is possible.
In an entry in the National Vulnerability Database (NVD) to Ghostcat also known as CVE-2020-in the year 1938, the the gap is with a CVSS v3 Score was 9.8 out of a possible 10. It is therefore of the utmost importance, and all users should Upgrade immediately, especially in the case of Me, at least, a five-a demonstration Exploit is available, the Code can also be used by an attacker to abuse. In addition to this, have tweeted to the company’s security Packages are damagedalready, the activity of the attack, in the form of a mass of verification-of-door room.
In exploring the limitations of
The site is Ghostcat, is the Apache-Tomcat in its Default configuration it is, in principle, by using the CVE-2020-the year of 1938 to be vulnerable. The attack was carried out by the so-called “AJP-Connector” Service, the Tomcat is used for communication between Applications and the outside world, through the AJP uses.
If the non-authorized access to the Service Connector Port (Default to 8009) configuration due to it (not) possible or where the Service has been completely turned off by the “gap”, according to the who version, it can’t be exploited. However, we do not recommend you to update it if it is not used. If it’s not going to be used, you must disable it or configure it to listen only on the localhost.
The Tomcat for more than 13 years of age, a vulnerable
According to the research team that resides Ghostcat, at least as of February, 2007, and published to the Apache Tomcat Version 6.0 in the AJP. Proven to the release of a series affected are
- Apache Tomcat 6.x (all versions)
- Apache Tomcat 7.x prior to Version 7.0.100
- The Apache Tomcat 8.x prior to the Release of 8.5.51 and
- Apache Tomcat Is 9.x prior to Version 9.0.31
The older versions have not been studied by the researchers according to their own figures on the gap.
The secure versions and more information
The Apache Tomcat versions 7.0.100, 8.5.51 and 9.0.31 they are safe and available for you to Download. These include, among other things, Changes in the configuration of the Connector Service.
The discoverer of the gap, and suggest that users make an Update, and the AJP Connector Service, and then you want to make use of a couple of manual configuration to make the change. They say that in the Ghostcat-site, in the section titled “How do I fix it?”.
In addition to this, there is a separate document, and/or up-to-date Tomcat Package for all gnu / Linux distributions and the applications that they bring to the Tomcat: