Apache Tomcat Vulnerability "Ghostcat" Attracting Threat Actor Attention (Mar 20, 2020)
The newly discovered vulnerability “CVE-2020-1938” (aka “Ghostcat”) is being leveraged to target vulnerable Apache Tomcat HTTP servers. Tomcat versions 7.0, 8.5 and 9.0 are at risk and the vulnerability allows for threat actors to execute remote code without authentication. Ghostcat is the result of unwarranted openness of Tomcat’s Apache JServ Protocol (AJP) interface, which is used to provide network communication. AJP by default exists on the port 8009 which is open for anyone to gain access to the Apache server.
Recommendation: Since the announcement of Ghostcat, the Apache Software Foundation have released Tomcat version 7.0.100, 8.5.51 and 9.0.31. The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.