What Is CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability

Overview:

The CVE-2020-1938: Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487) vulnerability is based on the default configuration of the AJP port (8009 by default) being open and the AJP protocol vulnerable to attack. Here are some links to the technical details:

https://nvd.nist.gov/vuln/detail/CVE-2020-1938

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

Product	Affected Status	Mitigation	Tomcat Version	AJP Used	Port	Patched
LDD	Yes	Yes	7.0.96	Yes	8009	V5.4
LPM	Yes	Yes	7.0.96	Yes	8009
LPMA	Yes*	Yes		No	8009
LDCM	No	N/A	N/A	No	8009
MVE v3.5	No	Yes	9.0.20	No	8009

LPMA* = does not actually use AJP. So mitigation for LPMAWebserver is simply commenting out the AJP Connector in server.xmlMVE: doesn't implement AJP, and the vulnerable port is not configured. LDCM: doesn’t use AJP

Mitigation of CVE-2020-1938 through AJP port 8009:

We can mitigate this issue AJP port 8009 is the connector port of tomcat which is used by the Apache to forward requests to the App servers.

Method 1 (IP whitelisting using Windows Firewall in the Tomcat server for port)

Open windows Firewall in the server where Tomcat has been hosted and Click on “Advanced Settings”.

Create a new inbound rule which will block the traffic to port 8009 from all other IPs except the Load balancer (Where Apache is installed), which is depicted in the below screenshots.

Click "New Rule".

Click “Custom” and then click “Next”.

Click “Next” once more.

If we are trying to only allow traffic from IP 10.195.10.230 then we need to add 2 IP ranges as 0.0.0.0 to 10.195.10.229 and 10.195.10.231 to 255.255.255.255.