Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2020-1938

CVE-2020-1938: Apache Tomcat AJP RCE Vulnerability

CVE-2020-1938 is a remote code execution vulnerability in Apache Tomcat's AJP Connector that allows attackers to read arbitrary files and execute malicious code. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2020-1938 Overview

CVE-2020-1938, commonly known as "Ghostcat," is a critical vulnerability in Apache Tomcat's Apache JServ Protocol (AJP) connector that allows attackers to read arbitrary files from the web application and achieve remote code execution under certain conditions. The vulnerability stems from the fact that Tomcat treats AJP connections as having higher trust than HTTP connections, and by default, the AJP connector was enabled and listening on all configured IP addresses.

When the AJP port (default 8009) is accessible to untrusted users, attackers can exploit this vulnerability to return arbitrary files from anywhere within the web application directory. More critically, attackers can process any file in the web application as a JSP file, enabling code execution. If the application allows file uploads or if an attacker can control content within the web application through other means, this vulnerability can be chained to achieve full remote code execution.

Critical Impact

This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. With an EPSS probability of 94.47%, it represents an extremely high likelihood of exploitation. Attackers can read sensitive configuration files, application source code, and potentially execute arbitrary code on vulnerable servers.

Affected Products

  • Apache Tomcat 9.0.0.M1 to 9.0.30
  • Apache Tomcat 8.5.0 to 8.5.50
  • Apache Tomcat 7.0.0 to 7.0.99
  • Apache Geode 1.12.0
  • Oracle Agile PLM (versions 9.3.3, 9.3.5, 9.3.6)
  • Oracle MySQL Enterprise Monitor
  • Oracle Communications Element Manager
  • Debian Linux 8.0, 9.0, 10.0
  • Fedora 30, 31, 32
  • openSUSE Leap 15.1
  • BlackBerry Good Control and Workspaces Server
  • NetApp Data Availability Services and OnCommand System Manager

Discovery Timeline

  • 2020-02-24 - CVE-2020-1938 published to NVD
  • 2025-10-27 - Last updated in NVD database

Technical Details for CVE-2020-1938

Vulnerability Analysis

The Apache JServ Protocol (AJP) is a binary protocol designed for efficient communication between a web server (such as Apache HTTP Server) and application server (such as Tomcat). Unlike HTTP, AJP connections are inherently trusted by Tomcat because they are intended for internal communication between components in a controlled environment.

The fundamental issue is that Apache Tomcat shipped with an AJP connector enabled by default, listening on all configured IP addresses (0.0.0.0:8009). While the security documentation recommended disabling this connector if not required, many deployments left it enabled and accessible from untrusted networks.

When an attacker can connect to the AJP port, they can forge AJP requests with specially crafted attributes that Tomcat trusts implicitly. This allows two primary attack vectors:

  1. Arbitrary File Read: By manipulating request attributes, attackers can read any file within the web application's directory structure, including WEB-INF/web.xml, configuration files, and source code.

  2. File Inclusion as JSP: Attackers can force Tomcat to treat arbitrary files as JSP files and compile/execute them. If the application accepts file uploads or if attackers can place content in the web application directory through other means, they can upload a file containing JSP code and trigger its execution.

Root Cause

The root cause of this vulnerability lies in the implicit trust model of the AJP protocol combined with insecure default configuration. Specifically:

  1. Excessive Trust: AJP requests are treated as fully trusted internal requests, allowing manipulation of request attributes that would normally be protected in HTTP requests.

  2. Insecure Default Binding: The AJP connector defaulted to binding on all interfaces (0.0.0.0) rather than localhost only.

  3. Enabled by Default: The AJP connector was enabled out of the box, even when not needed for the deployment scenario.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to the AJP port (default TCP/8009) can exploit this vulnerability directly.

The exploitation process involves sending crafted AJP messages that manipulate internal request attributes. These attributes control how Tomcat handles the request, including which file to serve and how to process it. By setting specific attributes, attackers can:

  1. Override the servlet path to point to arbitrary files within the web application
  2. Force Tomcat to process the file through the JSP servlet, causing compilation and execution
  3. Include path traversal sequences to access files outside the expected directory structure

If file upload functionality exists and stores files within the web application directory, attackers can upload a file containing malicious JSP code (potentially disguised with an innocent extension) and then use this vulnerability to execute it as a JSP, achieving remote code execution.

Detection Methods for CVE-2020-1938

Indicators of Compromise

  • Unexpected connections to TCP port 8009 (default AJP port) from external IP addresses
  • AJP binary protocol traffic containing unusual request attribute manipulations
  • Log entries showing access to sensitive files such as /WEB-INF/web.xml or configuration files that should not be directly accessible
  • Unusual JSP compilation activity for files that are not typically JSP files
  • Evidence of file access patterns consistent with reconnaissance (sequential reading of multiple configuration files)

Detection Strategies

  • Deploy network intrusion detection signatures for Ghostcat/CVE-2020-1938 exploitation attempts on AJP protocol traffic
  • Monitor for connections to AJP ports (8009, 8019, etc.) from non-whitelisted source addresses
  • Enable and review Tomcat access logs for unusual file access patterns, particularly requests for files in /WEB-INF/ directory
  • Implement application-level monitoring to detect attempts to process non-JSP files as JSP
  • Correlate file upload events with subsequent unusual file access attempts

Monitoring Recommendations

  • Configure firewall logging for any traffic destined to AJP ports from untrusted networks
  • Implement real-time alerting for successful connections to AJP ports from external IP ranges
  • Enable verbose logging in Tomcat to capture request attributes and servlet processing details
  • Monitor for new or unusual JSP compilation in Tomcat work directories
  • Track changes to files within web application directories that could indicate successful exploitation

How to Mitigate CVE-2020-1938

Immediate Actions Required

  • Immediately disable the AJP connector if not required for your deployment by commenting out or removing the <Connector port="8009" protocol="AJP/1.3" ... /> entry in server.xml
  • If AJP is required, bind the AJP connector to localhost only (address="127.0.0.1") or to specific trusted internal IP addresses
  • Apply firewall rules to block external access to TCP port 8009 and any other configured AJP ports
  • Upgrade to patched versions: Apache Tomcat 9.0.31, 8.5.51, or 7.0.100 (or later)
  • Review web application file upload functionality to ensure files are not stored within the web application directory structure

Patch Information

Apache has released security patches that harden the default AJP connector configuration. The fixed versions include:

  • Apache Tomcat 9.0.31 and later
  • Apache Tomcat 8.5.51 and later
  • Apache Tomcat 7.0.100 and later

Key changes in the patched versions include:

  • AJP connector requires explicit configuration of the secretRequired attribute
  • New secret attribute for AJP authentication
  • Hardened default attribute handling to reject potentially dangerous request attributes

Users upgrading to fixed versions should note that configuration changes may be required due to the hardened defaults. Consult the Apache Tomcat Announce Thread for detailed upgrade guidance.

Additional vendor patches are available from Oracle CPU January 2021, Debian DSA-4680, and NetApp Security Advisory.

Workarounds

  • Disable the AJP connector entirely if not used by removing or commenting out the connector definition in conf/server.xml
  • Restrict AJP connector binding to localhost by setting address="127.0.0.1" in the connector configuration
  • Implement network segmentation and firewall rules to ensure AJP ports are only accessible from trusted internal addresses
  • If using Apache HTTP Server as a reverse proxy with mod_jk or mod_proxy_ajp, ensure proper network isolation between the web server and Tomcat
bash
# Configuration example - Disable AJP in server.xml
# Comment out or remove this line:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

# If AJP is required, bind to localhost only:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secretRequired="true" secret="your-secret-key" />

# Firewall rule to block external AJP access (iptables example):
iptables -A INPUT -p tcp --dport 8009 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne