Apache Tomcat

Apache Tomcat is an open source servlet container.

2024: Discovered vulnerability allows you to hijack Apache Tomcat

In mid-December FSTEC , she issued a warning that Apache an error was detected in the Tomcat Java application server BDU:2024-11286^[1]which allows a remote user to execute arbitrary code. The danger of vulnerability in CVSSv3 is estimated at 9.8 out of 10. Moreover, an example of exploitation has already been published on the Internet, so Tomcat users are advised to update to the latest versions as quickly as possible.

The vulnerability arose due to a runtime synchronization error when using a share on a multithreaded system. It gives outsiders the opportunity to use a specially prepared JSP file to cause a race situation for a shared resource, which can lead to a violation of the integrity of variables and the execution of foreign code. The vulnerability is present in versions up to 11.0.2, up to 10.1.34 and up to 9.0.98 (it has been fixed in the specified versions).

The researcher who discovered the described vulnerability prepared a vulnerable server in advance with the parameters necessary for it, "said Margarita Pavlova, head of host discovery at Solar 4RAYS Solar Group. - According to our observations, usually such servers are configured more securely. But if the server configuration is unsafe, an attacker can deterministically play the race and get remote code execution. For mass exploitation of this type of attack, even within the same infrastructure, it is necessary that the appropriate configuration of the host or service be the same inside the perimeter - this situation is typical for casting from the "golden image." If such nodes do not install updates in a timely manner, they can expand the attack surface and increase the attacker's chances of successful operation.

The exploitation of such vulnerabilities requires a hacker to have high enough competencies to correctly configure directed disynchronization of threads, and on someone else's equipment.

Despite the highest level of vulnerability criticality (9.8 according to CVSS) and the presence of an exploit (PoC) in the public domain, it is worth noting that it requires a sufficient level of competence and a deep understanding of the system, so it is fair to say that we will not see "mass exploitation," - assured the readers of TAdviser Andrei Shabalin, information security analyst at NGR Softlab. - Although the vulnerability manifesto and the publication of RoS's are usually accompanied by massive attempts to exploit it by cybercriminals, the effect of such campaigns is likely to be small.

Assessment of the popularity of Tomcat among Russian users varies.

Apache is not very popular in Russia and the CIS countries, "Anastasia Travkina, associate systems analyst at Webmonitorex, told TAdviser. - According to Shodan, only about 108 thousand servers with Apache are used in Russia. For comparison, in the USA, Germany, Japan, China and France, the number of Apache servers is much larger - for example, in the USA there are about 5 million of them. Therefore, it can be argued that in Russia and the CIS Apache was not widely used due to the availability of alternative solutions such as Nginx.

Some experts even note a constant decrease in the number of Apache Tomcat installations available from the Internet in Russia.

𝓲

Фото: Cloud Networks

As you can see from the Tomcat usage schedules above, its popularity has gradually decreased in percentage terms throughout 2024, "said Andrey Michkin, head of the information security solutions implementation department at Cloud Networks. Despite this, it continues to be often used and remains a fairly effective tool both in Russia and around the world. If we talk about the mass, then this vulnerability will be exploited clearly not in the format of phishing and spam. I see two possibilities: mass exploitation with low conversion, or - point targeted with high probability with high results.

According to other estimates, the share of Apache Tomcat use in Russia is quite large.

According to a study by Axiom JDK, in Russia the most common Java application server is Apache Tomcat (79%), Sergey Lunegov, Product Director of Axiom JDK, shared his data with TAdviser. - Next, by a substantial margin, is Jetty (39%). Both solutions are open source and can be embedded in the Spring Boot framework. These application servers are used by almost 90% of respondents from large companies (with a staff of 1001-5000 and more than 5000 people). 30% of respondents use two application servers (mainly the same two - Apache Tomcat and Jetty). Apache Tomcat is used in two hypostases, as an application server, and as a built-in library for frameworks, such as Spring. As an application server, Tomcat is used much less often than as a built-in library.

The best solution to exploiting this vulnerability is to update to the latest versions in the corresponding thread, but not all users can agree to such an update. For those who cannot update their Apache Tomcat installation, FSTEC recommends implementing the following compensatory measures:

• Disable write capabilities for servlet (standard configuration);
• Use Web Application Layer Firewall (WAF) to restrict remote access to the application server;
• Use intrusion detection and prevention tools (IDS/IPS) to monitor connections to the application server and download files;
• Use secure connections for remote access.

However, for errors of violation of operating conditions, which include the situation of the race for resources, strengthening security due to safe settings is a good protection - the so-called hardening. Monitoring and changing the settings of key perimeter points is an important part of information security.

Ready-made exploits have already appeared (and quickly disappeared) on the Internet, "Ilya Polyakov, head of code analysis at Angara Security, explained to TAdviser readers. - However, it is worth noting that the successful exploitation of this vulnerability requires very specific and unsafe settings for the vulnerable server, which limits mass exploitation. Protection against the specific exploitation of this vulnerability lies, of course, in updating the vulnerable system to the version recommended by the developers. A more universal advice is to strengthen information security, maximize the introduction of the principle of minimum privileges, which will not only reduce the likelihood of exploitation, but also reduce possible damage in a successful attack.

2020: Ghostcat vulnerability to take control of the system

On February 29, 2020, it became known that server applications a serious vulnerability was discovered in Apache Tomcat that could intercept control of vulnerable systems. The issue, called Ghostcat, affects all versions of Apache Tomcat released over the past 13 years.

According to the company, the vulnerability is contained in the Apache JServ Protocol (AJP), a binary protocol that provides incoming requests from the web server to the application server. AJP connector is enabled by default on all Tomcat servers and listens to port 8009.

According to experts from the Chinese company Chaitin, Ghostcat (CVE-2020-1938, CNVD-2020-10487) can be used to read/write files to the Tomcat server. For example, attackers can gain access to application configuration files and steal passwords or write files to the server (backdoors, web shells, etc.). The latter is possible only if any application on the server allows the download of files.

The following branches of Apache Tomcat are affected by vulnerabilities:

• Apache Tomcat 9.x <9.0.31
• Apache Tomcat 8.x <8.5.51
• Apache Tomcat 7.x <7.0.100
• Apache Tomcat 6.x

February 2020 correction updates are available for Tomcat 7.x, Tomcat 8.x, and Tomcat 9.x releases, except for the 6.x branch, which was discontinued in 2016. According to BinaryEdge search results, as of February 2020, more than a million Tomcat servers are available on the Web. In addition, since the publication of information about the problem on GitHub, a number of PoC codes have already appeared [1, 2, 3, 4, 5] for testing and carrying out Ghostcat attacks^[2]

2015: Description of Apache Tomcat

The product executes the servlet specification, JavaServer Pages (JSP) specification, and JavaServer Faces (JSF) specification. Written in Java.

Tomcat allows you to run web applications, contains a number of self-configuring programs.

Screenshot of the Tomcat server page window, 2013

The server is used as a stand-alone web server, as a content server in combination with the Apache HTTP Server web server, as a servlet container in the JBoss and GlassFish application servers.

Tomcat is developed and supported by the Apache Software Foundation and volunteers. Users have free access to Tomcat source codes and binaries under the Apache License 2.0. Tomcat version numbers start at 3.0.x (previous versions Sun has released for internal use).

Notes