CVE-2020-1938
Arbitrary File Read vulnerability in org.apache.tomcat.embed:tomcat-embed-core
What is CVE-2020-1938 About?
Apache Tomcat versions 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99 are vulnerable when an AJP port is accessible to untrusted users. This flaw allows attackers to return arbitrary files from the web application or process any file as a JSP, potentially leading to remote code execution. Exploitation requires direct access to the AJP connector, but if accessible, it is highly impactful.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.31
- >8.0.0, <8.5.51
- >7.0.0, <7.0.100
Technical Details
The vulnerability stems from the default configuration of the AJP Connector in affected Apache Tomcat versions, which listened on all configured IP addresses and treated AJP connections with high trust. An attacker with access to the AJP port could leverage this trust model to manipulate requests. Specifically, they could craft AJP messages to request arbitrary files from the web application's directory structure, circumventing standard web server access controls. Furthermore, the mechanism allowed for processing any file within the web application as a JSP, even if it wasn't intended to be. If an attacker could also upload files (e.g., via a legitimate file upload feature), or control web application content, they could upload a malicious JSP or other executable file and then use this AJP vulnerability to trigger its execution, leading to Remote Code Execution.
What is the Impact of CVE-2020-1938?
Successful exploitation may allow attackers to read sensitive files, execute arbitrary code on the server, or gain control over the affected system.
What is the Exploitability of CVE-2020-1938?
Exploitation of this vulnerability is relatively complex, requiring direct network access to the AJP Connector port. There are no authentication requirements to access the AJP connector itself if it's publicly exposed, and no specific user privileges are needed on the Tomcat server post-exploitation of the AJP protocol. This is a remote exploit. A key constraint is that the AJP port must be accessible to untrusted users. The likelihood of exploitation is significantly increased if the AJP Connector is exposed directly to the internet or an untrusted internal network, contrary to best practices. If file upload functionality is available in the web application or the attacker can control web content, the arbitrary file processing capability can be escalated to remote code execution, making the exploit highly critical.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 00theway | Link | Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938) |
| bkfish | Link | Cnvd-2020-10487 / cve-2020-1938, scanner tool |
| lizhianyuguangming | Link | tomcat自动化漏洞扫描利用工具,支持批量弱口令检测、后台部署war包getshell、CVE-2017-12615 文件上传、CVE-2020-1938/CNVD-2020-10487 文件包含 |
What are the Available Fixes for CVE-2020-1938?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.100 → Upgrade to 7.0.100
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.51 → Upgrade to 8.5.51
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.31 → Upgrade to 9.0.31
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/rd50baccd1bbb96c2327d5a8caa25a49692b3d68d96915bd1cfbb9f8b@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbad152c61371b6e@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543dd3f3bc2c2beda%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r772335e6851ad33ddb076218fa4ff70de1bf398d5b43e2ddf0130e5d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007b905f1b6b608c65@%3Cusers.tomcat.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG
- https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560f14a8f11c6926f@%3Cusers.tomcat.apache.org%3E
What are Similar Vulnerabilities to CVE-2020-1938?
Similar Vulnerabilities: CVE-2020-1935 , CVE-2014-0096 , CVE-2007-0453 , CVE-2007-0452 , CVE-2007-0451
