Service Notices
Apache Tomcat File Inclusion Vulnerability (CVE-2020-1938)
Feb 24, 2020 GMT+08:00
I. Overview
It is recently disclosed that Apache Tomcat contains a file inclusion vulnerability (CVE-2020-1938). Apache Tomcat is a core project of the Apache Software Foundation's Jakarta project. The Apache JServ Protocol (AJP) service (port 8009), enabled by Tomcat by default, has implementation defects. As a result, related parameters are controllable. Attackers can exploit this vulnerability to construct specific parameters and execute arbitrary file read in the webapp directory of the server. If the file upload function is enabled on the server, attackers can implement remote code execution.
Therefore, we kindly remind Apache Tomcat users to arrange self-check and implement timely security hardening.
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Product
Affected Versions:
Apache Tomcat 9.x versions earlier than 9.0.31
Apache Tomcat 8.x versions earlier than 8.5.51
Apache Tomcat 7.x versions earlier than 7.0.100
All Apache Tomcat 6.x versions
Secure Versions:
Apache Tomcat 9.0.31
Apache Tomcat 8.5.51
Apache Tomcat 7.0.100
IV. Vulnerability Handling
You can use either of the following methods to handle this vulnerability:
1. Upgrade: This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest version.
2. To disable the AJP service, comment out <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> in the Tomcat configuration file Service.xml.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.