Apache Tomcat has recently released new versions to fix a vulnerability tracked as CVE-2020-1938 (also referred as "Ghostcat").
- Apache Tomcat 7.0.0 to 7.0.99
- Apache Tomcat 8.5.0 to 8.5.50
- Apache Tomcat 9.0.0.M1 to 9.0.30
Liferay recommends customers using any of the affected versions to read the referenced articles below and apply one of the following mitigations:
- Upgrade to Apache Tomcat 9.0.31 or later.
- Upgrade to Apache Tomcat 8.5.51 or later.
- Upgrade to Apache Tomcat 7.0.100 or later.
Please note the followings:
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Prior to these versions, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required.
It is important to note that mitigation is only required if an AJP port is accessible to untrusted users.
It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
Future Service Pack releases for Liferay DXP will be bundled with a newer Tomcat version where this vulnerability is already fixed.
References and Recommended Articles
- Apache Tomcat 9.x vulnerabilities (related section)
- Apache Tomcat 8.x vulnerabilities (related section)
- Apache Tomcat 7.x vulnerabilities (related section)
- CVE-2020-1938 (CVE database)
- Ghostcat is a high-risk file read / include vulnerability in Tomcat [CVE-2020-1938] (blog entry by the security researcher who discovered the vulnerability)
- [SECURITY] CVE-2020-1938 AJP Request Injection and potential Remote Code Execution (mailing list)
- Tomcat 9.0.31, Ghostcat and AJP (Liferay Community Blog entry by David H. Nebinger - Lead Consultant at Liferay)