High risk Ghostcat bug impacts all Apache Tomcat versions released in the last 13 years

A Chinese cybersecurity firm called Chaitin Tech discovered a flaw named Ghostcat which affects all the versions of Tomcat servers released in last 13 years. If you are currently using Apache Tomcat server then you should immediately upgrade to the latest version else hackers might take unauthorized control over it.

All the versions of Apache Tomcat ( 9.x/8.x/7.x/6.x) have been found vulnerable to this flaw and what is more concerning is that a lot of proof-of-concept exploits for this vulnerability has been out in public already.

What is Ghostcat Flaw and How it Works ?

According to Chinese cybersecurity company Chaitin Tech, the vulnerability resides in the AJP protocol of Apache Tomcat software that arises due to improper handling of an attribute.

“If the site allows users upload file, an attacker can first upload a file containing malicious JSP script code to the server (the uploaded file itself can be of any filetype, such as pictures, plain text files, etc.), and then include the uploaded file by exploiting the Ghostcat, which finally can result in remote code execution,” the researchers said.

AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances.

Tomcat’s AJP connector is enabled by default on all Tomcat servers and listens on the server’s port 8009.

Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.

For example, hackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells (the Ghostcat “write” attack is only possible if any app hosted on the Tomcat server allows users to upload files).

Patch and Mitigation

According to a BinaryEdge search, there are more than one million Tomcat servers currently available online. So it becomes very important to patch the flaw.

Chaitin researchers say they’ve found the bug in early January this year, and worked with the Apache Tomcat project to have patches ready before going public.

Fixes were released for Tomcat 7.x, Tomcat 8.x, and Tomcat 9.x branches, but not for the 6.x branch, which went into end-of-life in 2016. The Chaitin team also released an update to their XRAY tool so it can scan networks for the presence of vulnerable Tomcat servers.