I. Overview

It is recently disclosed that Apache Tomcat contains a file inclusion vulnerability (CVE-2020-1938). Apache Tomcat is a core project of the Apache Software Foundation's Jakarta project. The Apache JServ Protocol (AJP) service (port 8009), enabled by Tomcat by default, has implementation defects. As a result, related parameters are controllable. Attackers can exploit this vulnerability to construct specific parameters and execute arbitrary file read in the webapp directory of the server. If the file upload function is enabled on the server, attackers can implement remote code execution.

Therefore, we kindly remind Apache Tomcat users to arrange self-check and implement timely security hardening.

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Product

Affected Versions:

Apache Tomcat 9.x versions earlier than 9.0.31

Apache Tomcat 8.x versions earlier than 8.5.51

Apache Tomcat 7.x versions earlier than 7.0.100

All Apache Tomcat 6.x versions

Secure Versions:

Apache Tomcat 9.0.31

Apache Tomcat 8.5.51

Apache Tomcat 7.0.100

IV. Vulnerability Handling

You can use either of the following methods to handle this vulnerability:

1. Upgrade: This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the latest version.

2. To disable the AJP service, comment out <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> in the Tomcat configuration file Service.xml.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.