CVE-2020-1938: Apache Tomcat AJP RCE Vulnerability

CVE-2020-1938 Overview

CVE-2020-1938, commonly known as "Ghostcat," is a critical vulnerability in Apache Tomcat's Apache JServ Protocol (AJP) connector that allows attackers to read arbitrary files from the web application and achieve remote code execution under certain conditions. The vulnerability stems from the fact that Tomcat treats AJP connections as having higher trust than HTTP connections, and by default, the AJP connector was enabled and listening on all configured IP addresses.

When the AJP port (default 8009) is accessible to untrusted users, attackers can exploit this vulnerability to return arbitrary files from anywhere within the web application directory. More critically, attackers can process any file in the web application as a JSP file, enabling code execution. If the application allows file uploads or if an attacker can control content within the web application through other means, this vulnerability can be chained to achieve full remote code execution.

Critical Impact
This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. With an EPSS probability of 94.47%, it represents an extremely high likelihood of exploitation. Attackers can read sensitive configuration files, application source code, and potentially execute arbitrary code on vulnerable servers.

Affected Products

Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
Apache Geode 1.12.0
Oracle Agile PLM (versions 9.3.3, 9.3.5, 9.3.6)
Oracle MySQL Enterprise Monitor
Oracle Communications Element Manager
Debian Linux 8.0, 9.0, 10.0
Fedora 30, 31, 32
openSUSE Leap 15.1
BlackBerry Good Control and Workspaces Server
NetApp Data Availability Services and OnCommand System Manager

Discovery Timeline

2020-02-24 - CVE-2020-1938 published to NVD
2025-10-27 - Last updated in NVD database

Technical Details for CVE-2020-1938

Vulnerability Analysis

The Apache JServ Protocol (AJP) is a binary protocol designed for efficient communication between a web server (such as Apache HTTP Server) and application server (such as Tomcat). Unlike HTTP, AJP connections are inherently trusted by Tomcat because they are intended for internal communication between components in a controlled environment.

The fundamental issue is that Apache Tomcat shipped with an AJP connector enabled by default, listening on all configured IP addresses (0.0.0.0:8009). While the security documentation recommended disabling this connector if not required, many deployments left it enabled and accessible from untrusted networks.

When an attacker can connect to the AJP port, they can forge AJP requests with specially crafted attributes that Tomcat trusts implicitly. This allows two primary attack vectors:

Arbitrary File Read: By manipulating request attributes, attackers can read any file within the web application's directory structure, including WEB-INF/web.xml, configuration files, and source code.
File Inclusion as JSP: Attackers can force Tomcat to treat arbitrary files as JSP files and compile/execute them. If the application accepts file uploads or if attackers can place content in the web application directory through other means, they can upload a file containing JSP code and trigger its execution.

Root Cause

The root cause of this vulnerability lies in the implicit trust model of the AJP protocol combined with insecure default configuration. Specifically:

Excessive Trust: AJP requests are treated as fully trusted internal requests, allowing manipulation of request attributes that would normally be protected in HTTP requests.
Insecure Default Binding: The AJP connector defaulted to binding on all interfaces (0.0.0.0) rather than localhost only.
Enabled by Default: The AJP connector was enabled out of the box, even when not needed for the deployment scenario.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to the AJP port (default TCP/8009) can exploit this vulnerability directly.

The exploitation process involves sending crafted AJP messages that manipulate internal request attributes. These attributes control how Tomcat handles the request, including which file to serve and how to process it. By setting specific attributes, attackers can:

Override the servlet path to point to arbitrary files within the web application
Force Tomcat to process the file through the JSP servlet, causing compilation and execution
Include path traversal sequences to access files outside the expected directory structure

If file upload functionality exists and stores files within the web application directory, attackers can upload a file containing malicious JSP code (potentially disguised with an innocent extension) and then use this vulnerability to execute it as a JSP, achieving remote code execution.

Detection Methods for CVE-2020-1938

Indicators of Compromise

Unexpected connections to TCP port 8009 (default AJP port) from external IP addresses
AJP binary protocol traffic containing unusual request attribute manipulations
Log entries showing access to sensitive files such as /WEB-INF/web.xml or configuration files that should not be directly accessible
Unusual JSP compilation activity for files that are not typically JSP files
Evidence of file access patterns consistent with reconnaissance (sequential reading of multiple configuration files)

Detection Strategies

Deploy network intrusion detection signatures for Ghostcat/CVE-2020-1938 exploitation attempts on AJP protocol traffic
Monitor for connections to AJP ports (8009, 8019, etc.) from non-whitelisted source addresses
Enable and review Tomcat access logs for unusual file access patterns, particularly requests for files in /WEB-INF/ directory
Implement application-level monitoring to detect attempts to process non-JSP files as JSP
Correlate file upload events with subsequent unusual file access attempts

Monitoring Recommendations

Configure firewall logging for any traffic destined to AJP ports from untrusted networks
Implement real-time alerting for successful connections to AJP ports from external IP ranges
Enable verbose logging in Tomcat to capture request attributes and servlet processing details
Monitor for new or unusual JSP compilation in Tomcat work directories
Track changes to files within web application directories that could indicate successful exploitation

How to Mitigate CVE-2020-1938

Immediate Actions Required

Immediately disable the AJP connector if not required for your deployment by commenting out or removing the <Connector port="8009" protocol="AJP/1.3" ... /> entry in server.xml
If AJP is required, bind the AJP connector to localhost only (address="127.0.0.1") or to specific trusted internal IP addresses
Apply firewall rules to block external access to TCP port 8009 and any other configured AJP ports
Upgrade to patched versions: Apache Tomcat 9.0.31, 8.5.51, or 7.0.100 (or later)
Review web application file upload functionality to ensure files are not stored within the web application directory structure

Patch Information

Apache has released security patches that harden the default AJP connector configuration. The fixed versions include:

Apache Tomcat 9.0.31 and later
Apache Tomcat 8.5.51 and later
Apache Tomcat 7.0.100 and later

Key changes in the patched versions include:

AJP connector requires explicit configuration of the secretRequired attribute
New secret attribute for AJP authentication
Hardened default attribute handling to reject potentially dangerous request attributes

Users upgrading to fixed versions should note that configuration changes may be required due to the hardened defaults. Consult the Apache Tomcat Announce Thread for detailed upgrade guidance.

Additional vendor patches are available from Oracle CPU January 2021, Debian DSA-4680, and NetApp Security Advisory.

Workarounds

Disable the AJP connector entirely if not used by removing or commenting out the connector definition in conf/server.xml
Restrict AJP connector binding to localhost by setting address="127.0.0.1" in the connector configuration
Implement network segmentation and firewall rules to ensure AJP ports are only accessible from trusted internal addresses
If using Apache HTTP Server as a reverse proxy with mod_jk or mod_proxy_ajp, ensure proper network isolation between the web server and Tomcat

bash

# Configuration example - Disable AJP in server.xml
# Comment out or remove this line:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

# If AJP is required, bind to localhost only:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secretRequired="true" secret="your-secret-key" />

# Firewall rule to block external AJP access (iptables example):
iptables -A INPUT -p tcp --dport 8009 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j DROP

CVE-2020-1938 Overview

Critical Impact
This vulnerability is actively exploited in the wild and listed in CISA's Known Exploited Vulnerabilities catalog. With an EPSS probability of 94.47%, it represents an extremely high likelihood of exploitation. Attackers can read sensitive configuration files, application source code, and potentially execute arbitrary code on vulnerable servers.

Affected Products

Apache Tomcat 9.0.0.M1 to 9.0.30
Apache Tomcat 8.5.0 to 8.5.50
Apache Tomcat 7.0.0 to 7.0.99
Apache Geode 1.12.0
Oracle Agile PLM (versions 9.3.3, 9.3.5, 9.3.6)
Oracle MySQL Enterprise Monitor
Oracle Communications Element Manager
Debian Linux 8.0, 9.0, 10.0
Fedora 30, 31, 32
openSUSE Leap 15.1
BlackBerry Good Control and Workspaces Server
NetApp Data Availability Services and OnCommand System Manager

Discovery Timeline

2020-02-24 - CVE-2020-1938 published to NVD
2025-10-27 - Last updated in NVD database

Technical Details for CVE-2020-1938

Vulnerability Analysis

When an attacker can connect to the AJP port, they can forge AJP requests with specially crafted attributes that Tomcat trusts implicitly. This allows two primary attack vectors:

Arbitrary File Read: By manipulating request attributes, attackers can read any file within the web application's directory structure, including WEB-INF/web.xml, configuration files, and source code.
File Inclusion as JSP: Attackers can force Tomcat to treat arbitrary files as JSP files and compile/execute them. If the application accepts file uploads or if attackers can place content in the web application directory through other means, they can upload a file containing JSP code and trigger its execution.

Root Cause

The root cause of this vulnerability lies in the implicit trust model of the AJP protocol combined with insecure default configuration. Specifically:

Excessive Trust: AJP requests are treated as fully trusted internal requests, allowing manipulation of request attributes that would normally be protected in HTTP requests.
Insecure Default Binding: The AJP connector defaulted to binding on all interfaces (0.0.0.0) rather than localhost only.
Enabled by Default: The AJP connector was enabled out of the box, even when not needed for the deployment scenario.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to the AJP port (default TCP/8009) can exploit this vulnerability directly.

Override the servlet path to point to arbitrary files within the web application
Force Tomcat to process the file through the JSP servlet, causing compilation and execution
Include path traversal sequences to access files outside the expected directory structure

Detection Methods for CVE-2020-1938

Indicators of Compromise

Unexpected connections to TCP port 8009 (default AJP port) from external IP addresses
AJP binary protocol traffic containing unusual request attribute manipulations
Log entries showing access to sensitive files such as /WEB-INF/web.xml or configuration files that should not be directly accessible
Unusual JSP compilation activity for files that are not typically JSP files
Evidence of file access patterns consistent with reconnaissance (sequential reading of multiple configuration files)

Detection Strategies

Deploy network intrusion detection signatures for Ghostcat/CVE-2020-1938 exploitation attempts on AJP protocol traffic
Monitor for connections to AJP ports (8009, 8019, etc.) from non-whitelisted source addresses
Enable and review Tomcat access logs for unusual file access patterns, particularly requests for files in /WEB-INF/ directory
Implement application-level monitoring to detect attempts to process non-JSP files as JSP
Correlate file upload events with subsequent unusual file access attempts

Monitoring Recommendations

Configure firewall logging for any traffic destined to AJP ports from untrusted networks
Implement real-time alerting for successful connections to AJP ports from external IP ranges
Enable verbose logging in Tomcat to capture request attributes and servlet processing details
Monitor for new or unusual JSP compilation in Tomcat work directories
Track changes to files within web application directories that could indicate successful exploitation

How to Mitigate CVE-2020-1938

Immediate Actions Required

Immediately disable the AJP connector if not required for your deployment by commenting out or removing the <Connector port="8009" protocol="AJP/1.3" ... /> entry in server.xml
If AJP is required, bind the AJP connector to localhost only (address="127.0.0.1") or to specific trusted internal IP addresses
Apply firewall rules to block external access to TCP port 8009 and any other configured AJP ports
Upgrade to patched versions: Apache Tomcat 9.0.31, 8.5.51, or 7.0.100 (or later)
Review web application file upload functionality to ensure files are not stored within the web application directory structure

Patch Information

Apache has released security patches that harden the default AJP connector configuration. The fixed versions include:

Apache Tomcat 9.0.31 and later
Apache Tomcat 8.5.51 and later
Apache Tomcat 7.0.100 and later

Key changes in the patched versions include:

AJP connector requires explicit configuration of the secretRequired attribute
New secret attribute for AJP authentication
Hardened default attribute handling to reject potentially dangerous request attributes

Users upgrading to fixed versions should note that configuration changes may be required due to the hardened defaults. Consult the Apache Tomcat Announce Thread for detailed upgrade guidance.

Additional vendor patches are available from Oracle CPU January 2021, Debian DSA-4680, and NetApp Security Advisory.

Workarounds

Disable the AJP connector entirely if not used by removing or commenting out the connector definition in conf/server.xml
Restrict AJP connector binding to localhost by setting address="127.0.0.1" in the connector configuration
Implement network segmentation and firewall rules to ensure AJP ports are only accessible from trusted internal addresses
If using Apache HTTP Server as a reverse proxy with mod_jk or mod_proxy_ajp, ensure proper network isolation between the web server and Tomcat

bash

# Configuration example - Disable AJP in server.xml
# Comment out or remove this line:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

# If AJP is required, bind to localhost only:
# <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="127.0.0.1" secretRequired="true" secret="your-secret-key" />

# Firewall rule to block external AJP access (iptables example):
iptables -A INPUT -p tcp --dport 8009 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8009 -j DROP

CVE-2020-1938: Apache Tomcat AJP RCE Vulnerability

CVE-2020-1938 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-1938

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-1938

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-1938

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2020-1938: Apache Tomcat AJP RCE Vulnerability

CVE-2020-1938 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-1938

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-1938

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-1938

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform