You are here

Home › Apache Tomcat AJP File Read/Inclusion Vulnerability (Ghostcat)

Apache Tomcat AJP File Read/Inclusion Vulnerability (Ghostcat)

Submitted on 25. February 2020 - 10:40 by rischi.
Last update on 26. January 2021 - 16:09.
IDs: 
CVE-2020-1938 i
Keywords: 
ajp, tomcat
Description: 

CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat (aka Ghostcat).  A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).

Airlock WAF uses AJP for internal communication (localhost) between the Management Apache HTTP Server and the Management Apache Tomcat Server (used for the Configuration Center).

Airlock IAM does not use AJP connectors by default.

Resolution: 

Airlock WAF is not affected because

  • AJP in not exposed to any untrusted clients
  • The vulnerability can not be exploited indirectly through Apache HTTP Server.

Airlock IAM after version 7.0 is not affected because AJP is not used.

Airlock IAM before version 7.0 does not use the AJP connector by default. In case the default configuration (server.xml) was changed to use the AJP connector and this Tomcat server is exposed to an untrusted client/network please contact Airlock support for further advise

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] Bug 1806398 (CVE-2020-1938) - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability [NEEDINFO]
© Ergon Informatik AG