Recently, a new vulnerability on Apache Tomcat AJP connector was disclosed.
The flaw was discovered by a security researcher of Chaitin Tech  and allows a remote attacker to read any webapps files or include a file.
The AJP Connector
The AJP Connector  is generally used to manage (internal) requests, usually on port 8009, coming for example from an Apache HTTP Server.
The vulnerability (CVE-2020-1938) could be remotely exploited if port 8009 is publicly exposed.
defaultAccording to a tweet by Joao Matos , the vulnerability is not a default RCE (Remote Command Execution), but a LFI (Local File Inclusion) that can be turner in RCE:
CVE-2020-1938 is NOT a default Remote Code Execution vul. It is a LFI. So, IF you can:
- upload files via an APP feature &
- these files are saved inside the document root (eg. webapps/APP/… &
- reach the AJP port directly;
Thus, it can be turned in RCE.
A Proof-of-Concept for the vulnerability has been realeased on Github, without any additional details.
Furthermore, researcher also published an “online detection tool” useful to remotely check vulnerability.
Which Tomcat versions are affected?
- Tomcat 6 (no longer maintained)
- Tomcat 7.x < 7.0.100
- Tomcat 8.x < 8.5.51
- Tomcat 9.x < 9.0.31
Is there a fix?
Apache Tomcat has officially released versions 9.0.31, 8.5.51, and 7.0.100 to fix this vulnerability.
To fix this vulnerability correctly, you first need to determine if the Tomcat AJP Connector service is used in your server environment:
–If no cluster or reverse proxy is used, you can basically determine that AJP is not used.
–Otherwise, you need to figure out if the cluster or reverse server is communicating with the Tomcat AJP Connector service.
For additional details about fixing, please refer to the advisory.
As usual, update ASAP (and check port 8009 exposure)!