Bug 1806398 (CVE-2020-1938)
| Summary: | CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ted Jongseok Won <jwon> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aakhtar, abokovoy, aileenc, akoufoud, alazarot, alee, almorale, anstephe, ascheel, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cbuissar, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkaylor, dkreling, dmoppert, dosoudil, drieden, edewata, emarquez, etirelli, frenaud, gandavar, ggaughan, ggrzybek, guliu, gzaronik, hdaicho, hhorak, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jiehuang, jjoyce, jlyle, jochrist, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, kbost, krathod, krzysztof.daniel, kverlaen, kwills, kyoshida, lgao, lhh, lpeer, lthon, mbabacek, mburns, mcascell, mizdebsk, mkolesni, mkoncek, mkosek, mnovotny, msochure, msunil, msvehla, mszynkie, mvanderw, myarboro, nbhumkar, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, qguo, rfreire, rguimara, rrajasek, rruss, rsvoboda, rsynek, sclewis, scohen, sdaley, security-response-team, slinaber, smaestri, tom.jenkinson, twoerner, vhalbert, weli, ymittal, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100 | Doc Type: | If docs needed, set a value |
| Doc Text: |
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-03-17 16:32:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1806500, 1806501, 1806801, 1806802, 1806803, 1806804, 1806805, 1806806, 1806807, 1806808, 1807332, 1807640, 1807641, 1807650, 1812470, 1814026, 1840074 | ||
| Bug Blocks: | 1806404 | ||
|
Description
Ted Jongseok Won
2020-02-24 06:09:54 UTC
AJP is for mod_jk or mod_proxy_ajp and some other proxies, if you are not using an AJP proxy in front of your tomcat, you MUST have the AJP connector REMOVED from server.xml. AJP is known as unencrypted and old "unsafe" protocol from before 2000: DON'T use it, use https proxy instead (use mod_proxy instead mod_jk when possible). Fixes are available here: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 Nothing showing for Tomcat 10 yet, but this is where they will appear https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.x External References: https://www.cnvd.org.cn/webinfo/show/5415 https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487 https://meterpreter.org/cve-2020-1938-apache-tomcat-ajp-connector-remote-code-execution-vulnerability-alert/ https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1806805] Marking RHOSP 10 as 'wontfix' as OpenDaylight was in technical preview during this release. From skitt regarding OpenStack: "As you say, ODL doesn’t enable AJP by default, but it probably is configurable. At least, there’s an embedded Tomcat available in Karaf, thanks to Pax, so users could enable that. They would also need to explicitly enable the AJP connector since it’s not listed in the included default server.xml. In any case, as you also mention, all the recommendations around AJP were always to never expose the AJP port (not just with my ODL hat on; in previous jobs I deployed Tomcat with AJP). ODL never supported setups where admin ports of any kind are accessible to the wider public..." As such, marking Red Hat Openstack 13 as wontfix. Statement: Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1745 Mitigation: Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:0860 https://access.redhat.com/errata/RHSA-2020:0860 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:0861 https://access.redhat.com/errata/RHSA-2020:0861 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0855 https://access.redhat.com/errata/RHSA-2020:0855 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-1938 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:0912 https://access.redhat.com/errata/RHSA-2020:0912 https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html ?route 0x06 So JVMRoute does NOT need to be added in allowedRequestAttributesPattern as it is a directly processed attribute of the protocol. ?req_attribute 0x0A allowedRequestAttributesPattern controls the names of special attributes that can be used there. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 Via RHSA-2020:1479 https://access.redhat.com/errata/RHSA-2020:1479 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2020:1478 https://access.redhat.com/errata/RHSA-2020:1478 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520 This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.13 Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2020:2780 https://access.redhat.com/errata/RHSA-2020:2780 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2020:2781 https://access.redhat.com/errata/RHSA-2020:2781 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2020:2779 https://access.redhat.com/errata/RHSA-2020:2779 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2783 https://access.redhat.com/errata/RHSA-2020:2783 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:2840 https://access.redhat.com/errata/RHSA-2020:2840 (In reply to Anten Skrabec from comment #58) > From skitt regarding OpenStack: > > "As you say, ODL doesn’t enable AJP by default, but it probably is > configurable. At least, there’s an embedded Tomcat available in Karaf, > thanks to Pax, so users could enable that. They would also need to > explicitly enable the AJP connector since it’s not listed in the > included default server.xml. Embedded Tomcat in Karaf (thanks to pax-web-tomcat) doesn't allow AJP connectors anyway. I only instantiates NIO connector ("new org.apache.catalina.connector.Connector("HTTP/1.1")") This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 |