2

I have a question about Tomcat vulnerability CVE-2020-1938 aka Ghostcat. The security researcher who discovered the vulnerability created a write up here: https://www.chaitin.cn/en/ghostcat and a PoC here: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi.

Can this vulnerability still be exploited when Apache is acting as the reverse proxy for Tomcat (and communicating with it using AJP) or would it only work when communicating directly to the AJP service on Tomcat?

I can't get the POC to work when using Apache as a proxy but I don't know if that's because of my lack of experience with Apache, Tomcat, and AJP and/or the lack of implementation in the POC to support exploitation over such a setup OR if the vulnerability is in fact only exploitable when communicating directly with the AJP service port 8009 on Tomcat.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Matt
  • 123
  • 3

1 Answers1

3

The vulnerability is present in the binary interface that the AJP server provides, and will only be available to Apache HTTPd. Unless the AJP port is exposed to a public network, one cannot exploit it by simply issuing HTTP requests to Apache HTTPd.

daniel
  • 158
  • 1
  • 6
  • so i guess even with a configuration line in apache httpd-ajp.conf such as 'ProxyPass / ajp://127.0.0.1:8009/' wouldn't allow someone to exploit the vuln. I wasn't sure how apache reacts when it sees an AJP request on its public interface ie using the poc on apache with the above config line set. I didn't know whether it was a case of, 'let me forward this to Tomcat' or if the request just stops short. Thanks – Matt Feb 24 '20 at 16:56
  • Correct. httpd does not accept AJP for client connections. – Mark Thomas Feb 25 '20 at 19:23