Apache Tomcat File Inclusion Vulnerability (CVE-2020-1938) Threat Alert

Apache Tomcat File Inclusion Vulnerability (CVE-2020-1938) Threat Alert

March 2, 2020 | Adeline Zhang

Vulnerability Description

On February 20, China National Vulnerability Database (CNVD) released an Apache Tomcat file inclusion vulnerability (CNVD-2020-10487/CVE-2020-1938). This vulnerability is due to a flaw in the Tomcat Apache JServ Protocol (AJP). An attacker could exploit this vulnerability to read arbitrary files from a web application directory on the server. If the target server also provides the file upload function, the attacker can further implement remote code execution. Currently, the vendor has released new versions to fix this vulnerability. Tomcat is an important project of the Apache Software Foundation (ASF). Owing to its stable performance and availability for free use, it is quite a popular web application server. Considering the widespread deployment of Tomcat, the vulnerability in question affects a large number of users. Tomcat users should take preventive measures to fix this vulnerability as soon as possible.

For details of this vulnerability, visit the following link:

https://www.cnvd.org.cn/webinfo/show/5415

Scope of Impact

Affected Versions

  • Apache Tomcat 6
  • Apache Tomcat 7 < 7.0.100
  • Apache Tomcat 8 < 8.5.51
  • Apache Tomcat 9 < 9.0.31

Unaffected Versions

  • Apache Tomcat = 7.0.100
  • Apache Tomcat = 8.5.51
  • Apache Tomcat = 9.0.31

 

Vulnerability Detection

  • Version Check

Generally, the file name of a Tomcat installation package downloaded from the official website of Apache Tomcat contains the version number. Users can find out the current version number by checking the decompressed folder name.

If the decompressed Tomcat folder name was changed or the package was installed with Windows Service Installer, users can query the current version number by using the version module that comes with the software. Enter the path to the bin folder of the Tomcat installation package and type the version.bat command. Then the current version number of Tomcat is displayed.

If the current version is within the affected scope, the application is potentially at risk.

Mitigation

  • Official Update

Currently, this vulnerability has been fixed in the latest versions. Affected users are advised to upgrade to these versions as soon as possible from the following links:

Version Download URL
Apache Tomcat 7.0.100 http://tomcat.apache.org/download-70.cgi
Apache Tomcat 8.5.51 http://tomcat.apache.org/download-80.cgi
Apache Tomcat 9.0.31 http://tomcat.apache.org/download-90.cgi

 

  • Other Protective Measures

Users that cannot upgrade to the latest versions can take the following protective measures:

  1. If Tomcat AJP is not used, disable the AJP connector or change the listened address to only listen on the localhost.

The detailed procedure is as follows:

(1) Locate the following line (<CATALINA_BASE> is the working directory of Tomcat) in <CATALINA_BASE>/conf/server.xml:

<Connector port=”8009″protocol=”AJP/1.3″ redirectPort=”8443″ />

(2) Comment out this line (or delete it).

<!–<Connectorport=”8009″ protocol=”AJP/1.3″redirectPort=”8443″ />–>

(3) Save the file and restart Tomcat to make the change take effect.

  1. To use Tomcat AJP, you can configure the protocol attribute as the authentication credential, depending on the Tomcat version you use:

For Tomcat 7 and 9, you can configure a secret for the AJP connector (YOUR_TOMCAT_AJP_SECRET must be changed to a highly secure secret that cannot be guessed easily):

<Connector port=”8009″protocol=”AJP/1.3″ redirectPort=”8443″address=”YOUR_TOMCAT_IP_ADDRESS” secret=”YOUR_TOMCAT_AJP_SECRET”/>

For Tomcat 8, you can set requiredSecret for the AJP connector (YOUR_TOMCAT_AJP_SECRET must be changed to a highly secure secret that cannot be guessed easily):

<Connector port=”8009″protocol=”AJP/1.3″ redirectPort=”8443″address=”YOUR_TOMCAT_IP_ADDRESS”requiredSecret=”YOUR_TOMCAT_AJP_SECRET” />

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

Founded in April 2000, NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was headquartered in Beijing. With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.

Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.

NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.