Security Vulnerability - CVE-2020-1938 aka 'Ghostcat - Apache Tomcat AJP File Read/Inclusion Vulnerability'
This document (000019606) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
SUSE Linux Enterprise Server 15
Situation
This vulnerability is named "Ghostcat" mainly because it exists for more than a decade and it is verified that it affects Tomcat versions as old as version 6 while older versions are potentially affected too.
Specifically, any Tomcat instance, with AJP connector enabled and its port accessible by a malicious user, is vulnerable to Ghostcat.
Resolution
SUSE has already shipped the upgraded version 9.0.31 of Tomcat in:
- SUSE Linux Enterprise Server 15 LTSS
- SUSE Linux Enterprise Server 15 Service Pack 1
- SUSE Linux Enterprise Server 12 Service Pack 4
- SUSE Linux Enterprise Server 12 Service Pack 5
Additionally, a patch for Tomcat version 8.0.53 is already shipped in:
- SUSE Linux Enterprise Server 12 Service Pack 1 LTSS
- SUSE Linux Enterprise Server 12 Service Pack 2 LTSS
- SUSE Linux Enterprise Server 12 Service Pack 3 LTSS
Also, a patch for Tomcat version 6.0.53 has been provided in:
- SUSE Linux Enterprise Server 11 Service Pack 4 LTSS
Please note that this update may break some functionality since the AJP connector will be disabled by default. Customers who still desire to use the AJP connector, would need to enable this and set a 'secret' inside the configuration file.
On SLES servers this configuration is usually located in /etc/tomcat/server.xml
Inside this file the following section will be commented out :
<!-- Define an AJP 1.3 Connector on port 8009 --> <!-- <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" /> -->Removing the html comment tags will enable it, but by doing so make sure that a 'secret' key is specified.
This can be done similarly to the following :
<!-- Define an AJP 1.3 Connector on port 8009 --> <Connector protocol="AJP/1.3" address="::1" port="8009" redirectPort="8443" secretRequired=”true” secret="YOUR_TOMCAT_AJP_SECRET" />Please adjust the string YOUR_TOMCAT_AJP_SECRET above to reflect your own secure secret.
Note that packages provided by SUSE currently do not enforce the secret usage for compatibility reasons, regardless, please use a secret when you re-enable the AJP connector. Failing to do so will revert the vulnerability.
Additionally, this secret should also be set in mod_proxy_ajp configuration, if it is in use.
Specifically, in the mod_proxy_ajp configuration use in the ProxyPass line:
ProxyPass / ajp://localhost:8009/ secret=YOUR_TOMCAT_AJP_SECRETThis is currently not yet available in apache2 mod_proxy_ajp for SUSE Linux Enterprise, but will be delivered soon.
SUSE recommends all its customers to keep their system up-to-date and apply this security patch.
Cause
Status
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019606
- Creation Date: 15-Apr-2020
- Modified Date:17-Apr-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com