Share This:

Just a quick note about a new Tomcat vulnerability that appeared, called Ghostcat: CVE-2020-1938. Of course it has a cute logo.


It affects any Tomcat application server that is running the AJP connector, which is on port 8009 by default. If an attacker has access to this port, then it can be "can be exploited in ways that may be surprising". That is, without authentication, read any file on the server or servlet container and obtain config files or source code. Further, if the server allows file uploads: execute arbitrary code. Yes, that would be surprising.


Versions: 9.0.0.M1 to, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 are affected


You may want to start looking in your estate with a basic query such as:


search SoftwareInstance where type = 'Apache Tomcat Application Server'

show version, listening_ports, listen_tcp_sockets, as 'Running on',  #RunningSoftware:HostedSoftware:Host:Host.#DeviceWithAddress:DeviceAddress::IPAddress.#DeviceOnSubnet:DeviceSubnet:Subnet:Subnet.ip_address_range as 'Subnet'


to get an idea of what servers are out there. You could them put extra conditions on the versions and listen ports/sockets. And perhaps look at what networks they are on: focusing on less trusted ones first.


Note that although the port may be open on a non-localhost socket, it may still be blocked by a firewall - as is the case for the Discovery appliances. So then things are more complicated: do you trust all local users? In the Discovery appliance case, the local tideway user as access to everything anyway so accessing the AJP port is of no extra advantage. Unless you have created additional local limited-rights OS users for some reason.


Keep an eye on the OSU for updates to the Discovery appliances.