Introduction: IMPORTANT NOTE: The AJP/1.3 Connector is now deprecated. Use the Coyote JK Connector instead. The AJP/1.3 Connector element represents a Connector component that communicates with a web connector via the JK protocol (also known as the AJP protocol). This is used for cases where you wish to invisibly integrate Tomcat 4 into an existing (or new) web server. Nmap -p 8009 -script ajp-brute Script Output PORT STATE SERVICE 8009/tcp open ajp13 ajp-brute: Accounts root:secret - Valid credentials Statistics Performed 1946 guesses in 23 seconds, average tps: 82. Java client library for the Apache JServ Protocol 1.3. Java implementation of an AJP13 protocol client, allowing to send requests to a servlet container using this protocol. It uses netty, and handles connection pooling. Licensed under the Apache License, Version 2.0 (see LICENSE). Simple Usecases.
As previously reported, a severe vulnerability exists in Apache Tomcat’s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech discovered the vulnerability, named “Ghostcat”, which is tracked using CVE-2020-1938 and rated critical severity with a CVSS v3 score of 9.8.
This blog post details how web application security teams can detect this vulnerability using Qualys Web Application Scanning (WAS). This new Qualys WAS detection complements the detection that uses Qualys VMDR®.
Apache Tomcat web servers are widely used for deploying Java-based web applications. Apache JServ Protocol (AJP) is used for communication between Tomcat and Apache web server. This protocol is binary and is enabled by default. Anytime the web server is started, AJP protocol is started on port 8009. It is primarily used as a reverse proxy to communicate with application servers.
The most common way to identify whether the protocol is indeed enabled is to first locate the web server’s conf/ directory. Look for the server.xml configuration file that specifies all the default protocols and the document root directory configuration. As you would learn through reading server.xml, connector port 8009 is not commented and is explicitly enabled by default.
The Apache Tomcat AJP File Inclusion vulnerability (CVE-2020-1938) is exploitable only if port 8009 is exposed and AJP is installed.
Affected Apache Tomcat versions will get reported under the Qualys WAS detection (see details of the detection below).
- Apache Tomcat 9.0.0 to 9.0.30
- Apache Tomcat 8.5.0 to 8.5.50
- Apache Tomcat 7.0.0 to 7.0.99
With this vulnerability, an attacker can easily gain access to configuration files if the protocol is publicly available. If arbitrary file upload is not disabled, it is then possible for the attacker to upload malicious code to the web server that enables remote code execution.
Below is a report of the exploit:
You can read any webapps files or include a file to RCE .JUST A POC-GIF with no DETAILS
Tomcat has fix this vulnerability ,UPDATE! pic.twitter.com/Jauc5zPF3a
— Henry Chen (@chybeta) February 20, 2020
Identifying CVE-2020-1938 Vulnerability using WAS scan
Enable QID 150282 in your Qualys WAS option profiles to identify if you are running a vulnerable version of Apache Tomcat. The WAS scan will report QID 150282 as a potential vulnerability. To keep it simple, our scan will not attempt to actively determine the vulnerability by uploading an arbitrary file. We take into consideration that AJP is a binary version of HTTP and could not be requested over HTTP, hence the detection of the vulnerable server is determined based on the presence of Tomcat version and the fact that it is shipped with default configurations.
Additional Attack Vector
We also recommend to enable the following two QIDs in Qualys Web Application Scanning:
- 150114: Arbitrary File Upload
- 150125: File Upload Form Found
Ajp 8009 Not Listening
The vulnerability becomes more critical when the application allows file uploads. This will lead to the possibility of Remote Code Execution, allowing attacker to take complete take over of the web server. This requires immediate attention if you are using AJP and a vulnerable version of Apache Tomcat.
Disable port 8009 by commenting out (or deleting) the block of code that enables this vulnerability.
Restart Apache Web Server for changes to take effect.
Regardless of whether you disable AJP, we also recommend to define the strong secret key attribute requiredSecret in server.xml, which sets AJP protocol authentication credentials and ensures that only requests from authenticated workers will be honored. In this case, Tomcat will instantiate the AJP connector only when this attribute is specified with non-null and non-zero values. Note Tomcat documentation clearly states the default value for the attribute is null.
It is recommended to upgrade to patched versions of Apache Tomcat Web Servers:
- Apache Tomcat version 9.0.31
- Apache Tomcat version 8.5.51
- Apache Tomcat version 7.0.100
Additional detection and remediation details are described in Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR.
How To Configure Tomcat to work with Apache
How to Connect Tomcat 6 to Apache HTTP Server 2
Tomcat can be run as a standalone server. Tomcat can also be run as an add-on to the Apache HTTP Server (or Microsoft IIS) - as the Java servlet/JSP container. In this combination, Tomcat executes the Java servlets and JSPs, the Apache serves the static HTML pages and performs other server-side functions such as CGI, PHP, SSI, etc. Read 'Why should I integrate Apache with Tomcat? (or not)' at Tomcat FAQ (http://wiki.apache.org/tomcat/FAQ/Connectors#Q3).
To configure Tomcat to work with Apache HTTP Server, you should first read the documentation provided in Tomcat thoroughly, and read the 'Tomcat Connector' documents @ http://tomcat.apache.org/connectors-doc.
To run Tomcat together with Apache:
- Apache needs to load a 'adapter' module, which uses a certain protocol, such as Apache JServ Protocol (AJP), to communicate with the Tomcat, via another TCP port (port 8009 in the default configuration).
- When Apache receives an HTTP request, it checks if the request belongs to Tomcat. If so, it lets the adapter takes the request and forwards it to Tomcat, as illustrated below.
There are a few adapter modules available, such as Apache JServ Protocol (AJP) v1.2 'JServ' module (outdated), AJP v1.3 'JK 1.2' module (in use) and 'JK 2' module (deprecated). I will only describe the JK1.2 module with Apache 2 here.
The step-by-step procedure is as follow:
Step 0.1: Install Apache HTTP Server - Refer to 'Apache HTTP Server - How To'. I shall assume that Apache is installed in directory '
d:myprojectapache', and runs on port 7000. I shall denote the apache installed directory as
Step 0.2: Install Tomcat - Refer to 'Tomcat - How To'. I shall assume that Tomcat is installed in directory '
d:myprojecttomcat', runs on port 8080. Tomcat's shall contains two web contexts: '
/examples' (Tomcat's servlets and JSP examples) and '
/ws' (to be created by you). I shall denote Tomcat's installed directory as
$CATALINA_HOME (Catalina is the code name for Tomcat 5 and above).
Step 1: Download the Apache-Tomcat Connector Module - An Apache-Tomcat connector - JK1.2 module - which is an adapter module used by Apache to communicate with Tomcat (using AJP v1.3 protocol through TCP port 8009), can be downloaded from Tomcat mother site @ tomcat.apache.org (⇒ Download ⇒ Tomcat Connectors ⇒ JK 1.2 ⇒ JK 1.2 Binary Releases ⇒ win32 ⇒ jk-1.2.xx ⇒ '
Rename the downloaded module to '
mod_jk.so' and move into directory '
Step 2: Configure Apache - We need to configure the Apache HTTP Server to load and initialize the JK module.
Create a configuration file called '
mod_jk.conf' as follows and place it in '
For each web context that is to be forwarded from Apache to Tomcat, include two
JKMount statements as shown. In the above configuration, Apache forwards all requests to web contexts '
/examples' and '
/ws' to Tomcat, via a 'worker' called '
ajp13'. (Check the URL of the Tomcat's servlet and JSP examples from the Tomcat's welcome page! It may move!)
Include the above configuration directives into the Apache's configuration by adding the following
include statement at the end of '
Note: Unix's forward slash is used as the directory separator instead of backward slash (because Apache was originally built for Unix). The
include statement simply appends all the statements from the file '
d:myprojecttomcatconfmod_jk.conf' into '
httpd.conf'. (You can of course add those statements into '
Next, observe that the configuration refers to a worker file called '
workers.properties', and forward certain requests to a JK worker called '
ajp13'. Create the '
workers.properties' file and place it in '
d:myprojecttomcatconf' as follows:
JKMount statements forward the requests to a worker called '
ajp13', which is defined in this '
Step 3: Configure Tomcat - The default configuration in Tomcat's '
confserver.xml' starts the AJP1.3 service via the following configuration, on TCP port 8009 (remove the comments if these lines are commented out).
Step 4: Start the Apache with the JK module
Check the Apache's log '
logserrors.log' to confirm that JK module was started:
Step 5: Start the Tomcat server
Observe that AJP1.3 service is initiated and the
ajp13Ppsspp. worker is listening at port 8009.
The order of starting up Tomcat and Apache is NOT important. Either apache or tomcat can be restarted at any time.
Step 6: Verify the Installation - Issue the following URLs to access the web contexts '
/examples' and '
/ws', that are defined in Tomcat (running in port 8080), but accessed via the Apache (running in port 7000).
REFERENCES & RESOURCES
Port 8009 Ajp13
- Apache-Tomcat Connectors @ http://tomcat.apache.org/download-connectors.cgi
- Apache-Tomcat Connectors Documentation
- Apache mother site @ www.apache.org
- Tomcat mother site @ tomcat.apache.org
Port 8009 Ajp13 Vulnerability
Latest version tested: Apache 2.2.16 / Tomcat 7.0.2 / JK 1.2.30
Last modified: October, 2010