严重 Apache Tomcat AJP 文件读取与包含漏洞
CVE编号
CVE-2020-1938利用情况
EXP 已公开补丁情况
官方补丁披露时间
2020-02-25漏洞描述
Apache Tomcat是由Apache软件基金会属下Jakarta项目开发的Servlet容器。默认情况下,Apache Tomcat会开启AJP连接器,方便与其他Web服务器通过AJP协议进行交互。但Apache Tomcat在AJP协议的实现上存在漏洞,导致攻击者可以通过发送恶意的AJP请求,可以读取或者包含Web应用根目录下的任意文件,如果存在文件上传功能,将可以导致任意代码执行。漏洞利用AJP服务端口实现攻击,未开启AJP服务对外不受漏洞影响(tomcat默认将AJP服务开启并绑定至0.0.0.0)。阿里云应急响应中心提醒 Apache Tomcat用户尽快排查AJP端口对外情况并采取安全措施阻止漏洞攻击。 影响版本 Apache Tomcat 6 Apache Tomcat 7 < 7.0.100 Apache Tomcat 8 < 8.5.51 Apache Tomcat 9 < 9.0.31 安全版本 Apache Tomcat 7.0.100 Apache Tomcat 8.5.51 Apache Tomcat 9.0.31解决建议
1、升级至安全版本;2、关闭AJP连接器,修改Tomcat的service.xml,注释掉受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 7.0.0 | Up to (including) 7.0.99 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 8.5.0 | Up to (including) 8.5.50 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 9.0.0 | Up to (including) 9.0.30 | ||||
| 运行在以下环境 | |||||||||
| 系统 | alibaba_cloud_linux_2.1903 | tomcat | * | Up to (excluding) 7.0.76-11.1.al7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | amazon linux_2 | tomcat | * | Up to (excluding) 2.2-api-7.0.76-10.amzn2.0.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | amazon linux_AMI | tomcat | * | Up to (excluding) 3.0-api-7.0.100-1.36.amzn1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_2 | tomcat | * | Up to (excluding) 7.0.76-10.amzn2.0.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | amazon_AMI | tomcat | * | Up to (excluding) 8.5.51-1.83.amzn1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | anolis_os_8 | pki-core | * | Up to (excluding) 10.10.5-3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | centos_6 | tomcat | * | Up to (excluding) 6.0.24-114.el6_10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | centos_7 | tomcat | * | Up to (excluding) 3.0-api-7.0.76-11.el7_7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_10 | tomcat9 | * | Up to (excluding) 9.0.31-1~deb10u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_11 | tomcat9 | * | Up to (excluding) 9.0.31-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_12 | tomcat9 | * | Up to (excluding) 9.0.31-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_8 | tomcat7 | * | Up to (excluding) 7.0.56-3+deb8u3 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_9 | tomcat8 | * | Up to (excluding) 8.5.54-0+deb9u1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian_sid | tomcat9 | * | Up to (excluding) 9.0.31-1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_30 | tomcat | * | Up to (excluding) 9.0.31-2.fc30 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_31 | tomcat | * | Up to (excluding) 9.0.31-2.fc31 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_32 | tomcat | * | Up to (excluding) 9.0.31-2.fc32 | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedora_EPEL_6 | tomcat | * | Up to (excluding) 7.0.100-2.el6 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10 | tomcat | * | Up to (excluding) 7.0.76-15.el7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10SP1 | tomcat | * | Up to (excluding) 9.0.10-20.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_aarch64_V10SP2 | tomcat | * | Up to (excluding) 9.0.10-20.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10 | tomcat | * | Up to (excluding) 7.0.76-15.el7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10SP1 | tomcat | * | Up to (excluding) 9.0.10-20.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | kylinos_x86_64_V10SP2 | tomcat | * | Up to (excluding) 9.0.10-20.ky10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse_Leap_15.1 | tomcat | * | Up to (excluding) 9.0.31-lp151.3.12.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle linux_6 | tomcat | * | Up to (excluding) 6.0.24-114.el6_10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle linux_7 | tomcat | * | Up to (excluding) 7.0.76-11.el7_7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_6 | tomcat | * | Up to (excluding) 6.0.24-114.el6_10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | oracle_7 | tomcat | * | Up to (excluding) 7.0.76-11.el7_7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_6 | tomcat6 | * | Up to (excluding) 0:6.0.24-114.el6_10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | tomcat | * | Up to (excluding) 7.0.76-11.el7_7 | |||||
| 运行在以下环境 | |||||||||
| 系统 | sles_12 | apache2 | * | Up to (excluding) 2.4.16-20.29 | |||||
| 运行在以下环境 | |||||||||
| 系统 | sles_12_SP4 | tomcat | * | Up to (excluding) 2.4.23-29.54.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | sles_12_SP5 | tomcat | * | Up to (excluding) 2.4.23-29.54.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | apache2 | * | Up to (excluding) 2.4.16-20.29 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP4 | tomcat | * | Up to (excluding) 9.0.31-3.25.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12_SP5 | tomcat | * | Up to (excluding) 9.0.31-3.25.1 | |||||
| 运行在以下环境 | |||||||||
| 系统 | unionos_20 | tomcat | * | Up to (excluding) 9.0.31-1~deb10u2 | |||||
- 攻击路径 远程
- 攻击复杂度 容易
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 EXP 已公开
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-20 | 输入验证不恰当 |
| CWE-269 | 特权管理不恰当 |
| NVD-CWE-Other |
Exp相关链接
- https://github.com//zhzyker/exphub
- https://github.com/00theway/Ghostcat-CNVD-2020-10487
- https://github.com/0nise/CVE-2020-1938
- https://github.com/bkfish/CNVD-2020-10487-Tomcat-Ajp-lfi-Scanner
- https://github.com/dacade/CVE-2020-1938
- https://github.com/DaemonShao/CVE-2020-1938
- https://github.com/delsadan/CNVD-2020-10487-Bulk-verification
- https://github.com/fairyming/CVE-2020-1938
- https://github.com/fatal0/tomcat-cve-2020-1938-check
- https://github.com/FirstKaiXin/CVE-2020-1938
- https://github.com/I-Runtime-Error/CVE-2020-1938
- https://github.com/Just1ceP4rtn3r/CVE-2020-1938-Tool
- https://github.com/kukudechen-chen/cve-2020-1938
- https://github.com/laolisafe/CVE-2020-1938
- https://github.com/MateoSec/ghostcatch
- https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC
- https://github.com/sgdream/CVE-2020-1938
- https://github.com/shaunmclernon/ghostcat-verification
- https://github.com/sv3nbeast/CVE-2020-1938-Tomact-file_include-file_read
- https://github.com/syncxx/CVE-2020-1938-Tool
- https://github.com/Umesh2807/Ghostcat
- https://github.com/vulhub/vulhub/tree/master/tomcat/CVE-2020-1938
- https://github.com/w4fz5uck5/CVE-2020-1938-Clean-Version
- https://github.com/woaiqiukui/CVE-2020-1938TomcatAjpScanner
- https://github.com/xindongzhuaizhuai/CVE-2020-1938
- https://github.com/YU5Z8X2CvH1fv4ep/CVE-2020-1938-MSF-MODULE
- https://github.com/Zaziki1337/Ghostcat-CVE-2020-1938
- https://github.com/ze0r/GhostCat-LFI-exp
- https://github.com/ZhengHaoCHeng/CNVD-2020-10487
- https://github.com/zhzyker/exphub
- https://gitlab.com/CaptCrypto/ghostscript
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/admin/http/tomcat_ghostcat.rb
- https://tryhackme.com/room/tomghost
- https://www.exploit-db.com/exploits/48143
- https://www.exploit-db.com/exploits/49039
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论