Vulnerability Description
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Geode | 1.12.0 |
| Apache | Tomcat | >= 7.0.0, < 7.0.100 |
| Fedoraproject | Fedora | 30 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Communications Element Manager | 8.1.1 |
| Oracle | Communications Instant Messaging Server | 10.0.1.4.0 |
| Oracle | Health Sciences Empirica Inspections | 1.0.1.2 |
| Oracle | Health Sciences Empirica Signal | 7.3.3 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Instantis Enterprisetrack | >= 17.1, <= 17.3 |
| Oracle | Mysql Enterprise Monitor | <= 4.0.12 |
| Oracle | Siebel Ui Framework | <= 20.5 |
| Oracle | Transportation Management | 6.3.7 |
| Oracle | Workload Manager | 12.2.0.1 |
| Debian | Debian Linux | 8.0 |
| Opensuse | Leap | 15.1 |
| Blackberry | Good Control | <= 5.2.58.38 |
| Blackberry | Workspaces Server | 7.0.1 |
| Netapp | Data Availability Services | - |
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00002.htmlMailing ListThird Party Advisory
- http://support.blackberry.com/kb/articleDetail?articleNumber=000062739Third Party Advisory
- https://lists.apache.org/thread.html/r089dc67c0358a1556dd279c762c74f32d7a254a548Mailing List
- https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a9Mailing List
- https://lists.apache.org/thread.html/r17aaa3a05b5b7fe9075613dd0c681efa60a4f8c8fbMailing List
- https://lists.apache.org/thread.html/r38a5b7943b9a62ecb853acc22ef08ff586a7b3c66eMailing List
- https://lists.apache.org/thread.html/r43faacf64570b1d9a4bada407a5af3b2738b0c007bMailing List
- https://lists.apache.org/thread.html/r47caef01f663106c2bb81d116b8380d62beac9e543Mailing List
- https://lists.apache.org/thread.html/r4afa11e0464408e68f0e9560e90b185749363a6639Issue TrackingMailing List
- https://lists.apache.org/thread.html/r4f86cb260196e5cfcbbe782822c225ddcc70f54560Mailing List
- https://lists.apache.org/thread.html/r549b43509e387a42656f0641fa311bf27c127c244fMailing List
- https://lists.apache.org/thread.html/r57f5e4ced436ace518a9e222fabe27fb785f09f5bfMailing List
- https://lists.apache.org/thread.html/r5e2f1201b92ee05a0527cfc076a81ea0c270be299bMailing List
- https://lists.apache.org/thread.html/r61f280a76902b594692f0b24a1dbf647bb5a4c197bMailing List
FAQ
What is CVE-2020-1938?
CVE-2020-1938 is a vulnerability with a CVSS score of 9.8 (CRITICAL). When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HT...
How severe is CVE-2020-1938?
CVE-2020-1938 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-1938?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Geode, Apache Tomcat, Fedoraproject Fedora, Oracle Agile Engineering Data Management, Oracle Agile Plm.