CVE-2020-1938

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

References

https://lists.apache.org/thread.html/r7c6f492fbd39af34a68681dbbba0468490ff1a97a1bd79c6a53610ef%40%3Cannounce.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://security.netapp.com/advisory/ntap-20200226-0002/

https://lists.apache.org/thread.html/[email protected]%3Ccommits.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9f119d9ce92391140[email protected]%3Cusers.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomee.apache.org%3E

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cbugs.httpd.apache.org%3E

https://security.gentoo.org/glsa/202003-43

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/2XFLQB3O5QVP4ZBIPVIXBEZV7F2R7ZMS/

https://lists.fedoraproject.org/archives/list/[email protected]/message/L46WJIV6UV3FWA5O5YEY6XLA73RYD53B/

https://lists.fedoraproject.org/archives/list/[email protected]/message/K3IPNHCKFVUKSHDTM45UL4Q765EHHTFG/

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomcat.apache.org%3E

http://support.blackberry.com/kb/articleDetail?articleNumber=000062739

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.html

https://www.debian.org/security/2020/dsa-4673

https://www.debian.org/security/2020/dsa-4680

https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://www.oracle.com/security-alerts/cpujul2020.html

https://lists.apache.org/thread.html/[email protected]%3Cusers.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cissues.geode.apache.org%3E

https://www.oracle.com/security-alerts/cpuoct2020.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.tomee.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2021.html

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

Details

Source: MITRE

Published: 2020-02-24

Updated: 2021-07-21

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from 7.0.0 to 7.0.99 (inclusive)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from 8.5.0 to 8.5.50 (inclusive)

cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* versions from 9.0.0 to 9.0.30 (inclusive)

Tenable Plugins

View all (44 total)

IDNameProductFamilySeverity
150630SUSE SLES11 Security Update : apache2 (SUSE-SU-2020:14342-1)NessusSuSE Local Security Checks
critical
150589SUSE SLES11 Security Update : tomcat6 (SUSE-SU-2020:14334-1)NessusSuSE Local Security Checks
critical
143968NewStart CGSL CORE 5.05 / MAIN 5.05 : tomcat Vulnerability (NS-SA-2020-0085)NessusNewStart CGSL Local Security Checks
critical
143082RHEL 6 : tomcat6 (RHSA-2020:0912)NessusRed Hat Local Security Checks
critical
140282NewStart CGSL CORE 5.04 / MAIN 5.04 : tomcat Vulnerability (NS-SA-2020-0038)NessusNewStart CGSL Local Security Checks
critical
140278NewStart CGSL MAIN 4.05 : tomcat6 Vulnerability (NS-SA-2020-0048)NessusNewStart CGSL Local Security Checks
critical
138567MySQL Enterprise Monitor 4.0.x < 4.0.12.5346 / 8.0.x < 8.0.20.1237 (Jul 2020 CPU)NessusCGI abuses
critical
138160RHEL 7 : tomcat (RHSA-2020:2840)NessusRed Hat Local Security Checks
critical
138023RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.23 (RHSA-2020:2779)NessusRed Hat Local Security Checks
critical
138021RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.23 (RHSA-2020:2780)NessusRed Hat Local Security Checks
critical
138020RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.4.23 (RHSA-2020:2781)NessusRed Hat Local Security Checks
critical
137487EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2020-1645)NessusHuawei Local Security Checks
critical
136951Debian DLA-2209-1 : tomcat8 security updateNessusDebian Local Security Checks
critical
136662SUSE SLES12 Security Update : apache2 (SUSE-SU-2020:1272-1)NessusSuSE Local Security Checks
critical
136376Debian DSA-4680-1 : tomcat9 - security updateNessusDebian Local Security Checks
critical
136369Debian DSA-4673-1 : tomcat8 - security updateNessusDebian Local Security Checks
critical
136310openSUSE Security Update : apache2 (openSUSE-2020-597)NessusSuSE Local Security Checks
critical
136078SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2020:1126-1)NessusSuSE Local Security Checks
critical
136014SUSE SLES12 Security Update : apache2 (SUSE-SU-2020:1111-1)NessusSuSE Local Security Checks
critical
135773RHEL 6 : Red Hat JBoss Web Server 5.3 release (Important) (RHSA-2020:1520)NessusRed Hat Local Security Checks
critical
135686RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.4 (RHSA-2020:1478)NessusRed Hat Local Security Checks
critical
135567EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-1438)NessusHuawei Local Security Checks
critical
134906CentOS 7 : tomcat (CESA-2020:0855)NessusCentOS Local Security Checks
critical
134872Photon OS 3.0: Apache PHSA-2020-3.0-0069NessusPhotonOS Local Security Checks
critical
134862Apache Tomcat AJP Connector Request Injection (Ghostcat)NessusWeb Servers
critical
134849Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20200323)NessusScientific Linux Local Security Checks
critical
134846Oracle Linux 6 : tomcat6 (ELSA-2020-0912)NessusOracle Linux Local Security Checks
critical
134821Oracle Linux 7 : tomcat (ELSA-2020-0855)NessusOracle Linux Local Security Checks
critical
134818EulerOS 2.0 SP5 : tomcat (EulerOS-SA-2020-1327)NessusHuawei Local Security Checks
critical
134794EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1302)NessusHuawei Local Security Checks
critical
134729GLSA-202003-43 : Apache Tomcat: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
134673RHEL 7 : tomcat (RHSA-2020:0855)NessusRed Hat Local Security Checks
critical
134668RHEL 6 : Red Hat JBoss Web Server 3.1 Service Pack 8 (RHSA-2020:0861)NessusRed Hat Local Security Checks
critical
134651Scientific Linux Security Update : tomcat on SL7.x (noarch) (20200317)NessusScientific Linux Local Security Checks
critical
134620openSUSE Security Update : tomcat (openSUSE-2020-345)NessusSuSE Local Security Checks
critical
134575Amazon Linux AMI : tomcat8 (ALAS-2020-1353)NessusAmazon Linux Local Security Checks
critical
134574Amazon Linux AMI : tomcat7 (ALAS-2020-1352)NessusAmazon Linux Local Security Checks
critical
134569Amazon Linux 2 : tomcat (ALAS-2020-1402)NessusAmazon Linux Local Security Checks
critical
134243Debian DLA-2133-1 : tomcat7 security updateNessusDebian Local Security Checks
critical
98948Apache Tomcat 7.0.x < 7.0.100 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98947Apache Tomcat 8.5.x < 8.5.51 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
98946Apache Tomcat 9.0.0.M1 < 9.0.31 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
critical
701269Apache Tomcat 7.0.x < 7.0.100 / 8.5.x < 8.5.51 / 9.0.x < 9.0.31 Arbitrary File Read VulnerabilityNessus Network MonitorWeb Servers
high
133845Apache Tomcat 7.0.x < 7.0.100 / 8.5.x < 8.5.51 / 9.0.x < 9.0.31 Multiple VulnerabilitiesNessusWeb Servers
critical