You are here

Apache Tomcat AJP File Read/Inclusion Vulnerability (Ghostcat)

IDs: 
CVE-2020-1938 i
Keywords: 
ajp, tomcat
Description: 

CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat (aka Ghostcat).  A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

Airlock WAF uses AJP for internal communication (localhost) between the Management Apache HTTP Server and the Management Apache Tomcat Server (used for the Configuration Center).

Airlock IAM does not use AJP connectors by default.

Resolution: 

Airlock WAF is not affected because

  • AJP in not exposed to any untrusted clients
  • The vulnerability can not be exploited indirectly through Apache HTTP Server.

Airlock IAM after version 7.0 is not affected because AJP is not used.

Airlock IAM before version 7.0 does not use the AJP connector by default. In case the default configuration (server.xml) was changed to use the AJP connector and this Tomcat server is exposed to an untrusted client/network please contact Airlock support for further advise

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock