Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR
Last updated on: September 6, 2020
A severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, which is named “Ghostcat” and is tracked using CVE-2020-1938. The security issue has received a critical severity rating score of 9.8 based on CVSS v3 Scoring system.
Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server. If the system allows users to upload files, an attacker can upload malicious code to the server, and gain the ability to perform remote code execution.
Apache Tomcat 9.0.0 through 9.0.30
Apache Tomcat 8.5.0 through 8.5.50
Apache Tomcat 7.0.0 through 7.0.99
This vulnerability also affects Apache Tomcat 6; however, patches are not available for version 6.x. Customers are encouraged to upgrade to the latest supported versions of Apache Tomcat.
Identify Assets, Discover, Prioritize and Remediate using Qualys VMDR®
Qualys VMDR, all-in-one vulnerability management, detection and response enables:
- Identification of known and unknown hosts running vulnerable Tomcat servers
- Automatic detection of vulnerabilities and misconfigurations for Tomcat servers
- Prioritization of threats based on risk
- Integrated patch deployment for Windows hosts
Identification of Assets with Apache Tomcat Installations
The first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of hosts with Tomcat Server with version information –
As Tomcat versions 6.x or below servers are at highest risk due to patch unavailability, you may want to search for these EOL’ed versions by enhancing the search query, so that you can group them separately to take care of their risk.
software:(name:tomcat and version<7.0.0)
Group by Software
Using VMDR, you can also identify running Tomcat versions on the host via Qualys QID 86990 as shown below:
Once the hosts are identified, they can be grouped together with a ‘dynamic tag’, let’s say – Tomcat. This helps in automatically grouping existing hosts with Tomcat servers as well as any new host spins up with Tomcat server. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.
Discover Tomcat Vulnerabilities and Misconfigurations
Now that the hosts with Tomcat are identified, you want to detect which of these assets have flagged the CVE-2020-1938 vulnerability. VMDR automatically detects new vulnerabilities like CVE-2020-1938 based on the always updated Knowledgebase.
You can see all your impacted hosts for CVE-2020-1938 (or by Qualys ID: 87413) for your ‘tomcat’ asset tag in vulnerabilities view by using QQL query:
This will return a list of all impacted hosts.
VMDR also enables you to stay on top of these threats proactively via the ‘live feed’ provided for threat prioritization. With ‘live feed’ updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.
Simply click on the impacted assets for the Tomcat AJP threat feed to see the vulnerability and impacted host details.
With VM Dashboard, you can track Tomcat vulnerabilities, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of Tomcat vulnerability trends in your environment using Tomcat Vulnerabilities Dashboard –
Configuration management adds context to overall vulnerability management
To overall reduce the security risk, it is important to take care of Tomcat misconfigurations as well. Qualys VMDR shows your Tomcat misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have Tomcat AJP vulnerability. It also shows Tomcat AJP misconfigurations, elevating the risk for these hosts compared to the hosts for which there may be a vulnerability but where the default port 8009 is not used or the configuration is already hardened.
With Qualys Policy Compliance module of VMDR, you can automatically discover ‘running’ Tomcat (multiple) instances and if they have misconfigurations in context to CVE-2020-1938 vulnerability.
- Qualys configuration ID – 16081 “Status of the ‘protocol’ setting within the ‘server.xml’ file” would be evaluated against all running multiple instances to check if AJP connector is present in the result section as shown below –
- Qualys configuration ID – 17384 “Status of ‘requiredSecret’ setting in AJP Connector” would be evaluated against all running multiple instances to see if “:xxxxxx” value is not shown in the result section as below –
Risk-Based Prioritization of Tomcat Vulnerability
Now that you have identified the hosts, Tomcat versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk.
- Hosts with Tomcat version 6.x or below should be upgraded.
Use the query provided above in the identification phase to list hosts running Tomcat 6.x or below.
- If due to the business reasons it is not possible to upgrade the hosts for which CVE-2020-1938 is detected and misconfigurations (CIDs 16081 and 17384 controls are failing) are detected for the auto-discovered running Tomcat instances as shown below-
CID 16081 checks for AJP connector running on Tomcat server and evaluates misconfiguration based on the Tomcat AJP connector results.
CID 17384 checks for “requiredSecret” value to be configured on the system, and evaluates misconfiguration based on “:xxxxxx” value in the result.
- Hosts with Tomcat version 7.0 or above for which CVE-2020-1938 is detected, however, the Tomcat configurations for running instances are detected as hardened.
Response by Patching and Remediation
Hosts with Tomcat version 6.x or below should be upgraded to later Tomcat versions as no patch is available for them.
For Tomcat versions 7.0 or above for which patch is available, VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select Product: Tomcat” in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag – tomcat.
For proactive, continuous patching, you can create a daily job with a 24-hour “Patch Window” to ensure all hosts will continue to receive the required patches as new patches become available for the emerging vulnerabilities. Note: Tomcat patch on windows hosts requires a reboot.
Users are encouraged to apply patches as soon as possible.
In cases where due to business reasons, it is not possible to upgrade Tomcat 6.0 to later versions or for cases where patching or rebooting of servers is not possible, it is recommended that you reduce your security risk by remediating the related configuration settings for all running Tomcat servers as provided in Qualys Policy Compliance by applying following workarounds:
Disable the AJP Connector directly, or change its listening address to the localhost as explained below-
1. Change the AJP Protocol setting in server.xml fileEdit <CATALINA_BASE>/conf/server.xml, find the following line (<CATALINA_BASE> is the Tomcat work directory) and Comment out it (or just delete it)::
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />
<!–<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ />–>
Save the edit, and then restart Tomcat.
2. If AJP Connector service is in use, you can configure the “requiredSecret” attribute for the AJP Connector to set AJP protocol authentication credentials –
<Connector port=”8009″ protocol=”AJP/1.3″ redirectPort=”8443″ address=”YOUR_TOMCAT_IP_ADDRESS” requiredSecret=”YOUR_TOMCAT_AJP_SECRET” />
Get Started Now
Start your Qualys VMDR trial for automatically identifying, detecting and patching critical tomcat vulnerability CVE-2020-1938.