The Ghostcat vulnerability in AJP connector
Fixing Ghostcat vulnerability in Tomcat’s AJP connector with explanations on Ghostcat and AJP
I got the following error when starting the Tomcat.
When I was doing the research on this on the web, I found a way to fix this and found some interesting topic which is worth doing some more digging. And it is called the Ghostcat vulnerability. It occurs when using AJP as the connector. First, let's see what the AJP is.
Apache JServ Protocol (AJP)
A Tomcat Connector enables Catalina to receive requests from the outside, pass them to the corresponding web application for processing, and return the response result of the request. By default, Tomcat is configured with two Connectors. Those are HTTP Connector and AJP Connector.
The AJP is a binary protocol that is an optimized than the HTTP protocol. It is optimized for performance by reducing the processing cost of HTTP requests. It is mainly used in scenarios that require clustering or reverse proxy.
AJP protocol requires additional security considerations because it allows direct manipulation of Tomcat’s internal data structures than the HTTP connectors.
Fixing the above error
When using the AJP connector as the protocol in the connector, a secret should be specified in Tomcat configuration folder/server.xml. Otherwise, it will give an error as above. The issue is due to the environment secretRequired="true" being the default behaviour, breaking the services.
You can set a secret using secret="YOUR_TOMCAT_AJP_SECRET" as follows, which will fix the above issue.
Or can configure secretRequired="false" as follows. But this will introduce the Ghostcat Vulnerability. (CVE-2020-1938)
So, let's see what the Ghostcat vulnerability is.
Ghostcat vulnerability
Ghostcat is a vulnerability found in Apache Tomcat versions 6. x, 7. x, 8. x, and 9. x. It was discovered by Chaitin Tech security researchers and found that this exists in the Apache JServ Protocol (AJP). It allows remote code execution in some circumstances. Ghostcat allows an attacker to read the contents of configuration files and source code files of all web apps deployed on Tomcat and any other location that can be reached byServletContext.getResourceAsStream(). It also allows the attacker to process any file in the web application as JSP.
Hope you got some informative fix for the above issue. Thank you for reading!
