JPCERT-AT-2020-0009 JPCERT/CC 2020-02-25(Initial) 2020-02-28(Update) <<< JPCERT/CC Alert 2020-02-25 >>> Alert Regarding Vulnerability (CVE-2020-1938) in Apache Tomcat https://www.jpcert.or.jp/english/at/2020/at200009.html I. Overview On February 24, 2020 (Local Time), Apache Software Foundation has released information regarding a vulnerability (CVE-2020-1938) in Apache Tomcat. The vulnerability is due to the handling of Attribute in Apache JServ Protocol (AJP). A remote attacker leveraging this vulnerability may steal information via AJP. In addition, a remote attacker may execute arbitrary code if the Web application allows file upload and stores files. For more information on the vulnerability, please refer to the information provided by Apache Software Foundation. Apache Software Foundation [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E II. Affected Products The following versions are affected by this vulnerability: - Apache Tomcat versions 9.0.0.M1 to 9.0.30 - Apache Tomcat versions 8.5.0 to 8.5.50 - Apache Tomcat versions 7.0.0 to 7.0.99 III. Solution Apache Software Foundation has released versions of Apache Tomcat that address this vulnerability. Please update to these versions by referring to the information provided by Apache. - Apache Tomcat 9.0.31 - Apache Tomcat 8.5.51 - Apache Tomcat 7.0.100 IV. Workarounds If it is difficult to apply update, please consider applying the following workarounds. Using a combination of updates and workarounds can make your system more robust. - Disable AJP if AJP is not required - Restrict access such as AJP authentication settings if AJP is required [Setting Example] Settings on the Tomcat - Perform the following settings for Connector port in /conf/server.xml ===================================================================== ===================================================================== Setting on the Apache - Make the following settings for ProxyPass in /conf/httpd.conf ===================================================================== ProxyPass "URL" secret = "YOUR_TOMCAT_AJP_SECRET" ===================================================================== Use a value that cannot be easily guessed for YOUR_TOMCAT_AJP_SECRET. As for the details of setting, please refer to the manual of Tomcat, mod_proxy and mod_proxy_ajp. ** Update: February 28, 2020 Update ********************************** JPCERT/CC has confirmed that [Setting Example] does not work with the latest version of Apache (2.4.41) at this time. We apologize for the inconvenience. According to information from the developers, the function will be implemented in Apache 2.4.42. Depending on the Apache distributed by each distributor, a security patch has already been applied and [Setting Example] can be applied in some distributions (JPCERT/CC has confirmed on CentOS7). For more details, please contact with each distributor. In addition, JPCERT/CC has confirmed that the workaround works by setting authentication information in Apache Tomcat Connectors (mod_jk). For more detail of settings, please refer to the information provided by Apache Software Foundation. Apache Software Foundation The Apache Tomcat Connectors: mod_jk, ISAPI redirector, NSAPI redirector http://tomcat.apache.org/connectors-doc/ The Apache Tomcat Connectors - Reference Guide workers.properties configuration https://tomcat.apache.org/connectors-doc/reference/workers.html ********************************************************************** V. References Apache Software Foundation Fixed in Apache Tomcat 9.0.31 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 Apache Software Foundation Fixed in Apache Tomcat 8.5.51 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 Apache Software Foundation Fixed in Apache Tomcat 7.0.100 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 Apache Software Foundation Apache Tomcat 9 Security Considerations https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html Apache Software Foundation Apache Tomcat 8 Security Considerations https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html Apache Software Foundation Apache Tomcat 7 Security Considerations https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html Apache Apache Module mod_proxy https://httpd.apache.org/docs/trunk/en/mod/mod_proxy.html Apache Apache Module mod_proxy_ajp https://httpd.apache.org/docs/trunk/en/mod/mod_proxy_ajp.html ** Update: February 28, 2020 Update ********************************** The above references are the Apache development version manuals, which describe the relevant function (secret) in [Setting Example] mentioned in "IV. Workarounds". The current version of the manual (2.4.41) does not provide a description of the function at this time. ********************************************************************** If you have any information regarding this alert, please contact JPCERT/CC. ________ Revision History 2020-02-25 First edition 2020-02-28 Updated "IV. Workarounds" and "V. References" ====================================================================== JPCERT Coordination Center (Early Warning Group) TEL: +81-3-6811-0610 MAIL: ew-info@jpcert.or.jp https://www.jpcert.or.jp/english/