Security Vulnerability - CVE-2020-1938 aka 'Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability'

This document (000019606) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15

Situation

Security researchers discovered an existing flaw in the AJP protocol of Tomcat which allows a malicious user to read or include any file in the web application directories of Tomcat. This, for example, may allow an attacker to execute arbitrary code to the target host.

This vulnerability is named "Ghostcat" mainly because it exists for more than a decade and it is verified that it affects Tomcat versions as old as version 6 while older versions are potentially affected too. 

Specifically, any Tomcat instance, with AJP connector enabled and its port accessible by a malicious user, is vulnerable to Ghostcat.

Resolution

Tomcat has already released fixed versions that are 9.0.31, 8.5.51 and 7.0.100. At the same time instructions to mitigate the issue have been published for other versions.

SUSE has already shipped the upgraded version 9.0.31 of Tomcat in:
  • SUSE Linux Enterprise Server 15 LTSS 
  • SUSE Linux Enterprise Server 15 Service Pack 1
  • SUSE Linux Enterprise Server 12 Service Pack 4 
  • SUSE Linux Enterprise Server 12 Service Pack 5

Additionally, a patch for Tomcat version 8.0.53 is already shipped in: 
  • SUSE Linux Enterprise Server 12 Service Pack 1 LTSS
  • SUSE Linux Enterprise Server 12 Service Pack 2 LTSS
  • SUSE Linux Enterprise Server 12 Service Pack 3 LTSS

Also, a patch for Tomcat version 6.0.53 has been provided in:
  • SUSE Linux Enterprise Server 11 Service Pack 4 LTSS 


Please note that this update may break some functionality since the AJP connector will be disabled by default. Customers who still desire to use the AJP connector, would need to enable this and set a 'secret' inside the configuration file.

On SLES servers this configuration is usually located in /etc/tomcat/server.xml

Inside this file the following section will be commented out :
    <!-- Define an AJP 1.3 Connector on port 8009 -->

    <!--
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443" />
    -->
Removing the html comment tags will enable it, but by doing so make sure that a 'secret' key is specified.

This can be done similarly to the following : 
<!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector protocol="AJP/1.3"
               address="::1"
               port="8009"
               redirectPort="8443"
           secretRequired=”true”
           secret="YOUR_TOMCAT_AJP_SECRET"
        />
Please adjust the string YOUR_TOMCAT_AJP_SECRET above to reflect your own secure secret.

Note that packages provided by SUSE currently do not enforce the secret usage for compatibility reasons, regardless, please use a secret when you re-enable the AJP connector. Failing to do so will revert the vulnerability.

Additionally, this secret should also be set in mod_proxy_ajp configuration, if it is in use. 
Specifically, in the mod_proxy_ajp configuration use in the ProxyPass line:
ProxyPass / ajp://localhost:8009/ secret=YOUR_TOMCAT_AJP_SECRET
This is currently not yet available in apache2 mod_proxy_ajp for SUSE Linux Enterprise, but will be delivered soon.

SUSE recommends all its customers to keep their system up-to-date and apply this security patch.
 

Cause

Status

Security Alert

Additional Information

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000019606
  • Creation Date: 15-Apr-2020
  • Modified Date:17-Apr-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center