Let's Bell the Ghost Cat

Servers running Apache Tomcat are facing a new risk of high vulnerability.

There is yet another virus of vulnerability out in wild challenging web servers running on Apache Tomcat.

All the versions (9.x/8.x/7.x/6.x) of the Apache Tomcat released in the last 13 years have been discovered vulnerable to a new high-severity (CVSS 9.8) 'file read and inclusion bug'—which can be exploited in the default configuration.

The matter is all the more serious because several proof-of-concept exploits for this new found vulnerability have dotted the internetaccessing anyone to hack into publicly available vulnerable web servers.

The virus is called Ghostcat!!!

It is tracked as CVE-2020-1938.

The vulnerability allows unauthenticated, remote attackers access the mattercontained in any file on a vulnerable web server and avail crucial configuration files or source code or execute arbitrary code if the server allows file upload.

So ifthe web server is being operated on Apache Tomcat one should install the latest available version of the server application as soon as possible to stop hackers from taking undue control over the same.

As per Chinese cyber security company Chaitin Tech, the vulnerability istypically present in the AJP protocol of Apache Tomcat software that starts due to improper handling of an attribute.

"If the site allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be of any file type, such as pictures, plain text files, etc.), and then include the uploaded file by exploiting the Ghostcat, which finally can result in remote code execution," the researchers said.

Apache JServ Protocol (AJP) protocol is actually an optimized version of the HTTP protocol to allow Tomcat to communicate with an Apache web-server.

Though AJP protocol is enabled by default and listens at TCP port 8009, it is bound to IP address 0.0.0.0 and can only be exploited remotely when accessible to unreliable clients.

As per ‘onyphe,' a search engine for open-source and cyber threat intelligence data, there are more than 170,000 devices that are making an AJP Connector to open to everyone through the internet, at the time of writing.

Chaitin researchers discovered and reported about the ghost cat vulnerability in the month of January to the Apache Tomcat project. It subsequently released Apache Tomcat 9.0.31, 8.5.51, and 7.0.100 versions to patch the issue.

Web administrators are sincerely advised to install the software updates immediately and never tosubject AJP port to unknown clients as it spreads across a varied channel when needed to be exploited within authentic doors.

"Users should note that a number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31 or later will need to make small changes to their configurations as a result," the Tomcat team said.

In case you are unable to upgrade your corrupted web server immediately you can also disable the AJP Connector directly or alter its listening address to the localhost.

ISOEH is the ultimate organization which upgrades a cyber-security seeker's knowledge to amazing heights with its latest courses on ethical hacking.

Read more on data security.