A serious vulnerability, dubbed Ghostcat, has been discovered in Apache Tomcat and criminals are already trying to exploit it.
Tomcat is one of the most popular Java application servers, with over 800k active installations visible on the web.
According to the researchers who discovered the bug at Chaitin Tech:
Due to a flaw in the Tomcat AJP protocol, an attacker can read or include any files in the webapp directories of Tomcat. For example, an attacker can read the webapp configuration files or source code. In addition, if the target web application has a file upload function, the attacker may execute malicious code on the target host by exploiting file inclusion through Ghostcat vulnerability.
The vulnerability is tracked by CVE-2020-1938 and is present in all version prior to the fix released in: 9.0.31 / 8.5.51 or 7.0.100
The bug exists in the Apache Jserv Protocol (AJP) which is enabled in a default installation on port 8009. Even though AJP is enabled by default, it is usually only used if clustering or reverse proxy is active as it is more efficient than native HTTP. This is an example of why server hardening by disabling services that are not needed is an essential part of good security hygiene.