Share This:

Link to the NVD detail: https://nvd.nist.gov/vuln/detail/CVE-2020-1938

 

Published on the 2020-02-24, this vulnerability is about a serious file read/inclusion (Local File Inclusion, LFI) vulnerability on the Apache JServ Protocol  (AJP) Tomcat connector leading to potential Remote Code Execution (RCE). Running by default on TCP port 8009, AJP is a binary protocol designed to handle requests sent to a web server destined for an application server in order to improve performance. Vulnerable Tomcat versions and available fixes from Apache are:

 

Affected Apache Version
Fixed version
Apache Tomcat 9.0.30 and below9.0.31
Apache Tomcat 8.5.50 and below8.5.51
Apache Tomcat 7.0.99 and below7.0.100

 

 

Some BMC products are using a vulnerable version of Apache Tomcat. If enabled, please ensure the AJP Connector contains the "requiredSecret" attribute in the Tomcat /conf/server.xml file, the "secret" attribute, which is like a password, so its value needs to be strong and unique, and the "address" attribute, set to "localhost".

 

For example, change:

 

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

 

To:

 

    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <Connector port="8009" address="localhost" requiredSecret="true" secret="strong and unique password" protocol="AJP/1.3" redirectPort="8443" />

 

The "secret" attribute must also be specified in each worker that needs to connect to Tomcat. For example, if using Apache, it has to be defined in the "mod_proxy_ajp" configuration file.

 

You can also add some firewall protection in place on the connector port, to allow local connections only (or connections from trusted sources if needed), depending on the services running on your Tomcat instance.

 

BMC is working on upgrading Tomcat to the fixed version. Meanwhile it is recommended to implement the above mentioned configuration change which will mitigate this vulnerability.