Flashpoint analysts Cheng Lu and Steven Ouellette found an exploit in Apache Tomcat tracked as CVE-2020-1938. It allows information disclosure via file retrieval on a vulnerable server without any need for authentication or a user being tricked into a compromising interaction. In addition to this, it could allow remote code execution.
Impact of the vulnerability
“Due to the nature of the vulnerability, [the exploit] can be leveraged without any user interactions and with high reliability, with a low chance of causing the vulnerable server to crash,”
explained the researchers in a blog post.
“The AJP connector handles inbound requests [from applications] and passes to Catalina. Catalina then passes the request to the proper web application and receives the dynamically generated content. This content is then sent back over the network by the AJP connector as the response to the request,”
wrote Lu and Ouellette.
The researchers warned, adding that it “is expected to be exposed only internally and continues:
“Through the AJP connector, an attacker can retrieve arbitrary files from Tomcat’s web root, including the files residing within the ‘WEB-INF’ and ‘META-INF’ directories through the ServletContext.getResourceAsStream() function.”
So, the bug can open the door to RCE. This means for a vulnerable Tomcat server to allow file uploads. It enables an attacker to upload their own code via the AJP connector.
Preventions against these attacks
On the other hand, as attackers can’t themselves simply change the server settings to allow file uploads, researchers underlined that only a portion of the vulnerable Tomcat servers may suffer the code-execution impact from this vulnerability. However, it is needed to be noted that such capability can be implemented based on the PoC code with relative ease.
To prevent these attacks, web admins should update their Apache Tomcat instances to version 8.5.51. Exposing the connector only in the trusted network segment is also prevention that can reduce the attack surface.