Developers: | Apache Software Foundation (ASF) |
Date of the premiere of the system: | 1999/06/15 |
Last Release Date: | 2020/02/29 |
Technology: | Server platforms |
Content |
Apache Tomcat is a container of servlets open source.
2020: The vulnerability of Ghostcat allowing to intercept system management
On February 29, 2020 it became known that in server applications Apache Tomcat the serious vulnerability allowing to intercept management of the vulnerable systems is detected. The problem which received the name Ghostcat mentions all versions of Apache Tomcat released for the last 13 years.
According to the company, vulnerability contains in the Apache JServ Protocol (AJP) protocol - the binary protocol providing transfer of incoming requests from the Web server to the application server. The AJP connector is by default switched on on all Tomcat servers and listens to port 8009.
According to specialists of the Chinese company Chaitin, Ghostcat (CVE-2020-1938, CNVD-2020-10487) it can be used for reading/record of files on the Tomcat server. For example, attacking can get access to configuration files of the application and steal passwords or write files on the server (backdoors, web shells, etc.). The last is possible only if any application on the server permits loading of files.
Vulnerabilities are subject the following branches of Apache Tomcat:
- Apache Tomcat 9.x < 9.0.31
- Apache Tomcat 8.x < 8.5.51
- Apache Tomcat 7.x < 7.0.100
- Apache Tomcat 6.x
The adjusting updates for February, 2020 are available to releases of Tomcat 7.x, Tomcat 8.x, and Tomcat 9.x, except for a branch 6.x which support was stopped in 2016. According to search results of BinaryEdge, for February, 2020 in Network well more than one million Tomcat-servers. Besides, from the moment of the publication of information on a problem on GitHub a number of PoC-codes [1, 2, 3, 4 already appeared, 5] for testing and implementation of the attacks of Ghostcat[1].
2015: Description of Apache Tomcat
The product performs the specification of servlets, the JavaServer Pages (JSP) and JavaServer Faces (JSF) specification. It is written in the Java language.
Tomcat allows to start web applications, contains a number of programs for self-configuring.
Screenshot of a window of the page of the Tomcat server, 2013
Server it is used as the independent Web server, as content server in combination with the Web server Apache HTTP Server, as a container of servlets in application servers JBoss and GlassFish.
Development and support of Tomcat are conducted by Apache Software Foundation fund and volunteers. Users have free access to source codes and binary files of Tomcat according to the license Apache License 2.0. The version numbers Tomcat begin with 3.0.x (released the previous versions of Sun for internal use).