Post identifying the prerequisites for an RCE to take place João Matos, a well-known security researcher from Brazil, identified the prerequisites needed for Ghostcat to become an RCE.įigure 2. These are requirements that, when combined, are hard to find in a real-world scenario. However, aside from an exposed AJP, it would require several other prerequisites for an RCE to happen.
In summary, Ghostcat can cause issues to organizations if they have Tomcat AJP Connector exposed externally, which is not a recommended configuration in the first place. This scenario, combined with the ability to process a file as a JSP (as made possible through the vulnerability), would make an RCE feasible. The advisory further detailed the circumstances necessary for an RCE to take place: The web application needs to allow file upload and storage of these uploaded files within the web application itself, or an attacker would have to gain control over the content of the web application somehow.
APACHE TOMCAT VIRUS CODE
On the Apache Tomcat Security Advisory page, Ghostcat is described as “AJP Request Injection and potential Remote Code Execution.” The keyword “potential” serves to emphasize that Ghostcat is not an RCE vulnerability by default. Ghostcat in itself is a Local File Include/Read vulnerability and not an Arbitrary File Upload/Write vulnerability. Apache JServ Protocol illustration The Ghostcat Vulnerability This is important to point out, as it’s one of the prerequisites for the RCE scenario that we will discuss in the next section.įigure 1. The bottom line is that AJP is not, by nature, exposed externally. AJP is implemented as a module in the Apache HTTP Server, represented as mod_jk or mod_proxy_ajp. In simple terms, this means that the HTTP Connector is exposed to clients, while the AJP is used internally between the webserver (e.g., Apache HTTPD) and the Apache Tomcat server (illustrated in Figure 1). It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers. The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. 20 by Chaitin Tech security researchers, who reported that the vulnerability exists in the Apache JServ Protocol (AJP). This blog entry seeks to put the most feared Ghostcat-related scenario into perspective by delving into the unlikely circumstances that would make it possible to allow an RCE through the vulnerability. Discussions surrounding the Ghostcat vulnerability ( CVE-2020-1938 and CNVD-2020-10487) found in Apache Tomcat puts it in the spotlight as researchers looked into its security impact, specifically its potential use for remote code execution (RCE).Īpache Tomcat is a popular open-source Java servlet container, so the discovery of Ghostcat understandably set off some alarms.
0 kommentar(er)
