Bug 1806398 (CVE-2020-1938) - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
Summary: CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-1938
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1806500 1806501 1806801 1806802 1806803 1806804 1806805 1806806 1806807 1806808 1807332 1807640 1807641 1807650 1812470 1814026 1840074
Blocks: 1806404
TreeView+ depends on / blocked
 
Reported: 2020-02-24 06:09 UTC by Ted (Jong Seok) Won
Modified: 2020-09-09 20:28 UTC (History)
111 users (show)

Fixed In Version: tomcat 9.0.31, tomcat 8.5.51, tomcat 7.0.100
Doc Type: If docs needed, set a value
Doc Text:
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).
Clone Of:
Environment:
Last Closed: 2020-03-17 16:32:00 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:0927 None None None 2020-03-23 12:06:31 UTC
Red Hat Product Errata RHBA-2020:1272 None None None 2020-04-01 11:56:34 UTC
Red Hat Product Errata RHBA-2020:1439 None None None 2020-04-14 11:35:21 UTC
Red Hat Product Errata RHBA-2020:1440 None None None 2020-04-14 11:39:32 UTC
Red Hat Product Errata RHBA-2020:1441 None None None 2020-04-14 11:41:32 UTC
Red Hat Product Errata RHBA-2020:1492 None None None 2020-04-16 12:39:48 UTC
Red Hat Product Errata RHSA-2020:0855 None None None 2020-03-17 16:19:06 UTC
Red Hat Product Errata RHSA-2020:0860 None None None 2020-03-17 13:11:06 UTC
Red Hat Product Errata RHSA-2020:0861 None None None 2020-03-17 13:12:47 UTC
Red Hat Product Errata RHSA-2020:0912 None None None 2020-03-23 08:42:31 UTC
Red Hat Product Errata RHSA-2020:1478 None None None 2020-04-14 21:20:17 UTC
Red Hat Product Errata RHSA-2020:1479 None None None 2020-04-14 20:50:59 UTC
Red Hat Product Errata RHSA-2020:1520 None None None 2020-04-21 11:06:58 UTC
Red Hat Product Errata RHSA-2020:1521 None None None 2020-04-21 10:56:02 UTC
Red Hat Product Errata RHSA-2020:2367 None None None 2020-06-04 13:11:55 UTC
Red Hat Product Errata RHSA-2020:2779 None None None 2020-07-01 11:08:15 UTC
Red Hat Product Errata RHSA-2020:2780 None None None 2020-07-01 10:53:19 UTC
Red Hat Product Errata RHSA-2020:2781 None None None 2020-07-01 10:59:52 UTC
Red Hat Product Errata RHSA-2020:2783 None None None 2020-07-01 11:21:27 UTC
Red Hat Product Errata RHSA-2020:2840 None None None 2020-07-07 10:18:09 UTC

Internal Links: 1819003

Description Ted (Jong Seok) Won 2020-02-24 06:09:54 UTC
CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

Comment 11 Jean-frederic Clere 2020-02-24 15:00:04 UTC
AJP is for mod_jk or mod_proxy_ajp and some other proxies, if you are not using an AJP proxy in front of your tomcat, you MUST have the AJP connector REMOVED from server.xml.
AJP is known as unencrypted and old "unsafe" protocol from before 2000: DON'T use it, use https proxy instead (use mod_proxy instead mod_jk when possible).

Comment 26 Doran Moppert 2020-02-25 04:26:11 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1806805]

Comment 35 Anten Skrabec 2020-02-25 23:58:02 UTC
Marking RHOSP 10 as 'wontfix' as OpenDaylight was in technical preview during this release.

Comment 58 Anten Skrabec 2020-02-27 22:04:56 UTC
From skitt@redhat.com regarding OpenStack:

"As you say, ODL doesn’t enable AJP by default, but it probably is
configurable. At least, there’s an embedded Tomcat available in Karaf,
thanks to Pax, so users could enable that. They would also need to
explicitly enable the AJP connector since it’s not listed in the
included default server.xml.

In any case, as you also mention, all the recommendations around AJP
were always to never expose the AJP port (not just with my ODL hat on;
in previous jobs I deployed Tomcat with AJP). ODL never supported
setups where admin ports of any kind are accessible to the wider
public..."

As such, marking Red Hat Openstack 13 as wontfix.

Comment 91 Ted (Jong Seok) Won 2020-03-10 05:04:31 UTC
Statement:

Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251 and CVE page https://access.redhat.com/security/cve/cve-2020-1745

Comment 92 Ted (Jong Seok) Won 2020-03-10 05:04:37 UTC
Mitigation:

Please refer to the Red Hat knowledgebase article: https://access.redhat.com/solutions/4851251

Comment 102 errata-xmlrpc 2020-03-17 13:11:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:0860 https://access.redhat.com/errata/RHSA-2020:0860

Comment 103 errata-xmlrpc 2020-03-17 13:12:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2020:0861 https://access.redhat.com/errata/RHSA-2020:0861

Comment 104 errata-xmlrpc 2020-03-17 16:18:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:0855 https://access.redhat.com/errata/RHSA-2020:0855

Comment 105 Product Security DevOps Team 2020-03-17 16:32:00 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-1938

Comment 107 errata-xmlrpc 2020-03-23 08:42:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:0912 https://access.redhat.com/errata/RHSA-2020:0912

Comment 119 Jean-frederic Clere 2020-04-06 07:19:18 UTC
https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
?route	0x06	
So JVMRoute does NOT need to be added in allowedRequestAttributesPattern as it is a directly processed attribute of the protocol.

?req_attribute	0x0A
allowedRequestAttributesPattern controls the names of special attributes that can be used there.

Comment 121 errata-xmlrpc 2020-04-14 20:50:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4

Via RHSA-2020:1479 https://access.redhat.com/errata/RHSA-2020:1479

Comment 122 errata-xmlrpc 2020-04-14 21:20:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2020:1478 https://access.redhat.com/errata/RHSA-2020:1478

Comment 124 errata-xmlrpc 2020-04-21 10:55:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:1521 https://access.redhat.com/errata/RHSA-2020:1521

Comment 125 errata-xmlrpc 2020-04-21 11:06:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:1520 https://access.redhat.com/errata/RHSA-2020:1520

Comment 129 errata-xmlrpc 2020-06-04 13:11:49 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.13

Via RHSA-2020:2367 https://access.redhat.com/errata/RHSA-2020:2367

Comment 136 errata-xmlrpc 2020-07-01 10:53:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2020:2780 https://access.redhat.com/errata/RHSA-2020:2780

Comment 137 errata-xmlrpc 2020-07-01 10:59:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2020:2781 https://access.redhat.com/errata/RHSA-2020:2781

Comment 138 errata-xmlrpc 2020-07-01 11:08:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2020:2779 https://access.redhat.com/errata/RHSA-2020:2779

Comment 139 errata-xmlrpc 2020-07-01 11:21:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2783 https://access.redhat.com/errata/RHSA-2020:2783

Comment 140 errata-xmlrpc 2020-07-07 10:18:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Extended Update Support

Via RHSA-2020:2840 https://access.redhat.com/errata/RHSA-2020:2840


Note You need to log in before you can comment on or make changes to this bug.