CVE-2020-1745 Overview
A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Red Hat Undertow version 2.0.29.Final and earlier. This vulnerability was fixed in version 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution.
This vulnerability is related to the widely-publicized "Ghostcat" vulnerability (CVE-2020-1938) that affected Apache Tomcat's AJP connector, as both share similar attack vectors through the AJP protocol implementation.
Critical Impact
Remote unauthenticated attackers can read arbitrary web application files and potentially achieve remote code execution through file upload functionality combined with file inclusion.
Affected Products
- Red Hat Undertow versions prior to 2.0.30.Final
- Red Hat Undertow 2.0.29.Final and earlier
- Systems with AJP connector enabled on default port 8009
Discovery Timeline
- April 28, 2020 - CVE-2020-1745 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-1745
Vulnerability Analysis
This file inclusion vulnerability exists in the Apache JServ Protocol (AJP) connector implementation within Red Hat Undertow. The AJP protocol is designed to enable communication between web servers (like Apache HTTP Server) and application servers, typically operating on port 8009 by default.
The vulnerability stems from improper access controls in the AJP connector that allows attackers to manipulate AJP requests to read files outside the intended web application context. When combined with file upload functionality, this flaw can be escalated from a file read/inclusion vulnerability to full remote code execution by uploading malicious JSP content disguised as allowed file types (such as images) and then including them for execution.
The vulnerability is classified under CWE-285 (Improper Authorization), indicating that the core issue relates to insufficient access control validation within the AJP protocol handling.
Root Cause
The root cause of this vulnerability lies in the default configuration of the AJP connector and improper authorization checks when processing AJP requests. The AJP protocol implementation in affected Undertow versions does not adequately validate or restrict file access requests, allowing attackers to traverse directories and access sensitive files. The connector trusts incoming AJP requests without proper authentication, which is particularly dangerous when the AJP port is exposed to untrusted networks.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker needs network access to port 8009 (or whichever port the AJP connector is configured to use) to exploit this vulnerability.
The exploitation typically follows this pattern:
- The attacker identifies a target server with an exposed AJP connector (default port 8009)
- Crafted AJP requests are sent to the connector to read sensitive files such as configuration files, source code, or credentials
- If file upload functionality exists, the attacker uploads a malicious JSP payload disguised as an allowed file type
- The attacker then uses the file inclusion capability to execute the uploaded JSP code, achieving remote code execution
For detailed technical analysis of the exploitation methodology, refer to the Tenable Blog CVE-2020-1938 Analysis which covers the related Ghostcat vulnerability with similar attack patterns.
Detection Methods for CVE-2020-1745
Indicators of Compromise
- Unusual network connections to port 8009 from external or untrusted IP addresses
- Unexpected file read attempts or access patterns in web application logs
- Presence of suspicious files with unexpected extensions containing JSP code
- Anomalous AJP protocol traffic patterns indicating malformed or crafted requests
Detection Strategies
- Monitor network traffic for connections to AJP port 8009, especially from external sources
- Implement intrusion detection rules to identify malicious AJP request patterns
- Review web server access logs for path traversal attempts or unusual file access patterns
- Deploy file integrity monitoring on web application directories to detect unauthorized modifications
Monitoring Recommendations
- Configure network monitoring to alert on any external connections to the AJP connector port
- Enable detailed logging for the Undertow server and AJP connector
- Implement application-level monitoring to detect unusual file inclusion or execution patterns
- Regularly audit uploaded files for suspicious content that may contain embedded JSP code
How to Mitigate CVE-2020-1745
Immediate Actions Required
- Upgrade Red Hat Undertow to version 2.0.30.Final or later immediately
- If immediate upgrade is not possible, disable the AJP connector entirely if not required
- Restrict network access to the AJP port (8009) using firewall rules to allow only trusted hosts
- Review and audit any file upload functionality for proper validation and restrictions
Patch Information
Red Hat has addressed this vulnerability in Undertow version 2.0.30.Final. Organizations should upgrade to this version or later to remediate the vulnerability. Additional information and patch details can be found in the Red Hat Bugzilla CVE-2020-1745 tracking entry. NetApp has also released guidance in their NetApp Security Advisory NTAP-20240216-0011.
Workarounds
- Disable the AJP connector if it is not required for your deployment
- Configure firewall rules to block external access to port 8009 and allow only trusted internal hosts
- Implement a secret attribute for the AJP connector to require authentication between the web server and application server
- Review and restrict file upload functionality to prevent uploading files that could be interpreted as executable code
# Example firewall configuration to restrict AJP port access
# Allow only trusted web server (Apache/nginx) to connect to AJP port
iptables -A INPUT -p tcp --dport 8009 -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j DROP
# Alternatively, bind AJP connector to localhost only in Undertow configuration
# to prevent external network access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
