Advisory March 3, 2020

GhostCat Vulnerability (CVE-2020-1938)


What is it about?

A vulnerability (CVE-2020-1938) has been identified on Apache Tomcat , named “GhostCat”, which is a flaw in the Tomcat AJP protocol.
In order for an attacker to exploit the vulnerability of GhostCat, the AJP Connector must be activated and the attacker must have access to the AJP Connector service port.

What is the impact of this attack?

An attacker can get access to configuration files and source code files of any web applications deployed on Tomcat. This is feasible in case the site exposes file upload functionality which is used by an attacker to initially upload a malicious JSP script code file (the code can be contained to files of any filetype, such as pictures, plain text files, etc.). If the included file is successfully exploited it allows the attacker to execute malicious code.

Affected product versions

  • Apache Tomcat 9.x
  • Apache Tomcat 8.x
  • Apache Tomcat 7.x
  • Apache Tomcat 6.x

What organisations should do as part of mitigation and prevention actions

It is strongly recommended that affected customers should immediately take action and apply the provided mitigation steps:

  • Update the Apache Tomcat to latest versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
    Note. Additionally, the latest releases fix 2 other low severity HTTP request smuggling issues (CVE-2020-1935 and CVE-2019-17569).
  • If the affected web server cannot be updated, the AJP Connector should be directly disabled, or its listening address should point to the localhost.