JPCERT-AT-2020-0009
JPCERT/CC
2020-02-25(Initial)
2020-02-28(Update)
In addition, a remote attacker may execute arbitrary code if the Web application allows file upload and stores files.
For more information on the vulnerability, please refer to the information provided by Apache Software Foundation.
Apache Software Foundation
[SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution
https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
- Apache Tomcat versions 9.0.0.M1 to 9.0.30
- Apache Tomcat versions 8.5.0 to 8.5.50
- Apache Tomcat versions 7.0.0 to 7.0.99
- Apache Tomcat 9.0.31
- Apache Tomcat 8.5.51
- Apache Tomcat 7.0.100
- Disable AJP if AJP is not required
- Restrict access such as AJP authentication settings if AJP is required
[Setting Example]
Settings on the Tomcat
- Perform the following settings for Connector port in <CATALINA_BASE>/conf/server.xml
=====================================================================
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />
=====================================================================
Setting on the Apache
- Make the following settings for ProxyPass in /conf/httpd.conf
=====================================================================
ProxyPass "URL" secret = "YOUR_TOMCAT_AJP_SECRET"
=====================================================================
Use a value that cannot be easily guessed for YOUR_TOMCAT_AJP_SECRET.As for the details of setting, please refer to the manual of Tomcat,mod_proxy and mod_proxy_ajp.
Apache Software Foundation
Fixed in Apache Tomcat 9.0.31
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
Apache Software Foundation
Fixed in Apache Tomcat 8.5.51
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
Apache Software Foundation
Fixed in Apache Tomcat 7.0.100
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
Apache Software Foundation
Apache Tomcat 9 Security Considerations
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
Apache Software Foundation
Apache Tomcat 8 Security Considerations
https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
Apache Software Foundation
Apache Tomcat 7 Security Considerations
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
Apache
Apache Module mod_proxy
https://httpd.apache.org/docs/trunk/en/mod/mod_proxy.html
Apache
Apache Module mod_proxy_ajp
https://httpd.apache.org/docs/trunk/en/mod/mod_proxy_ajp.html
If you have any information regarding this alert, please contact JPCERT/CC.
2020-02-28 Updated "IV. Workarounds" and "V. References"
JPCERT Coordination Center (Early Warning Group)
TEL: +81-3-6811-0610 MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/
JPCERT/CC
2020-02-25(Initial)
2020-02-28(Update)
I. Overview
On February 24, 2020 (Local Time), Apache Software Foundation has released information regarding a vulnerability (CVE-2020-1938) in Apache Tomcat. The vulnerability is due to the handling of Attribute in Apache JServ Protocol (AJP). A remote attacker leveraging this vulnerability may steal information via AJP.In addition, a remote attacker may execute arbitrary code if the Web application allows file upload and stores files.
For more information on the vulnerability, please refer to the information provided by Apache Software Foundation.
Apache Software Foundation
[SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution
https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E
II. Affected Products
The following versions are affected by this vulnerability:- Apache Tomcat versions 9.0.0.M1 to 9.0.30
- Apache Tomcat versions 8.5.0 to 8.5.50
- Apache Tomcat versions 7.0.0 to 7.0.99
III. Solution
Apache Software Foundation has released versions of Apache Tomcat that address this vulnerability. Please update to these versions by referring to the information provided by Apache.- Apache Tomcat 9.0.31
- Apache Tomcat 8.5.51
- Apache Tomcat 7.0.100
IV. Workarounds
If it is difficult to apply update, please consider applying the following workarounds. Using a combination of updates and workarounds can make your system more robust.- Disable AJP if AJP is not required
- Restrict access such as AJP authentication settings if AJP is required
[Setting Example]
Settings on the Tomcat
- Perform the following settings for Connector port in <CATALINA_BASE>/conf/server.xml
=====================================================================
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="YOUR_TOMCAT_IP_ADDRESS" requiredSecret="YOUR_TOMCAT_AJP_SECRET" />
=====================================================================
Setting on the Apache
- Make the following settings for ProxyPass in /conf/httpd.conf
=====================================================================
ProxyPass "URL" secret = "YOUR_TOMCAT_AJP_SECRET"
=====================================================================
Use a value that cannot be easily guessed for YOUR_TOMCAT_AJP_SECRET.As for the details of setting, please refer to the manual of Tomcat,mod_proxy and mod_proxy_ajp.
Update: February 28, 2020 Update
JPCERT/CC has confirmed that [Setting Example] does not work with the latest version of Apache (2.4.41) at this time. We apologize for the inconvenience. According to information from the developers, the function will be implemented in Apache 2.4.42.
Depending on the Apache distributed by each distributor, a security patch has already been applied and [Setting Example] can be applied in some distributions (JPCERT/CC has confirmed on CentOS7). For more details, please contact with each distributor.
In addition, JPCERT/CC has confirmed that the workaround works by setting authentication information in Apache Tomcat Connectors (mod_jk).For more detail of settings, please refer to the information provided by Apache Software Foundation.
Apache Software Foundation
The Apache Tomcat Connectors: mod_jk, ISAPI redirector, NSAPI redirector
http://tomcat.apache.org/connectors-doc/
The Apache Tomcat Connectors - Reference Guide
workers.properties configuration
https://tomcat.apache.org/connectors-doc/reference/workers.html
Depending on the Apache distributed by each distributor, a security patch has already been applied and [Setting Example] can be applied in some distributions (JPCERT/CC has confirmed on CentOS7). For more details, please contact with each distributor.
In addition, JPCERT/CC has confirmed that the workaround works by setting authentication information in Apache Tomcat Connectors (mod_jk).For more detail of settings, please refer to the information provided by Apache Software Foundation.
Apache Software Foundation
The Apache Tomcat Connectors: mod_jk, ISAPI redirector, NSAPI redirector
http://tomcat.apache.org/connectors-doc/
The Apache Tomcat Connectors - Reference Guide
workers.properties configuration
https://tomcat.apache.org/connectors-doc/reference/workers.html
V. References
Apache Software Foundation
Fixed in Apache Tomcat 9.0.31
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
Apache Software Foundation
Fixed in Apache Tomcat 8.5.51
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
Apache Software Foundation
Fixed in Apache Tomcat 7.0.100
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
Apache Software Foundation
Apache Tomcat 9 Security Considerations
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
Apache Software Foundation
Apache Tomcat 8 Security Considerations
https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html
Apache Software Foundation
Apache Tomcat 7 Security Considerations
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
Apache
Apache Module mod_proxy
https://httpd.apache.org/docs/trunk/en/mod/mod_proxy.html
Apache
Apache Module mod_proxy_ajp
https://httpd.apache.org/docs/trunk/en/mod/mod_proxy_ajp.html
Update: February 28, 2020 Update
The above references are the Apache development version manuals, which describe the relevant function (secret) in [Setting Example] mentioned in "IV. Workarounds". The current version of the manual (2.4.41) does not provide a description of the function at this time.
If you have any information regarding this alert, please contact JPCERT/CC.
Revision History
2020-02-25 First edition2020-02-28 Updated "IV. Workarounds" and "V. References"
JPCERT Coordination Center (Early Warning Group)
TEL: +81-3-6811-0610 MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/