adaptation of Tomcat impacted by the weakness of Ghostcat are : Tomcat exploited by conception two interface , the HTTP and the AJP , and the latter heed to port wine 8009 of the browser . Due to a blemish in the Tomcat AJP communications protocol , an aggressor can register or let in any file in the webapp directory of Tomcat . ” It can also call for assaulter to write data point , malware or net crush , to a host . The failing of Ghostcat in AJP , which can either be put-upon for study or authorship information to a Tomcat waiter , may get the tease to accession shape single file and trance password or API toke . Tomcat Connector enable Tomcat to relate outside , admit Catalina to bear call for from exterior , forward them to the appropriate vane lotion for treat and hark back the production of the asking - response . The CVE-2020 - 1938 exposure strike Tomcat ’s AJP communications protocol and discover by the Chinese cybersecurity truehearted Chaitin Tech . The Apache JServ Protocol ( AJP ) is a double star protocol that enable the placeholder of entering bespeak from a WWW host to a vane server coating host . “ For illustration , An aggressor can study the webapp configuration data file or reservoir cipher . body politic the internet site lay out up to key the egress . In add-on , if the quarry vane diligence hold a charge upload role , the aggressor may perform malicious encrypt on the mark legion by work filing cabinet comprehension through Ghostcat vulnerability . ” All Apache Tomcat interlingual rendition throw a exposure yell Ghostcat , which attacker could employ to translate shape single file or instal backdoor on compromise host . “ Ghostcat is a good exposure in Tomcat chance upon by security researcher of Chaitin Tech .
Apache Tomcat 9.x < 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x
surety update for Tomcat 7.x , Tomcat 8.x and Tomcat 9.x are already available , Chaitin besides take in an update on its XRAY image scanner that discover vulnerable Tomcat server . Chaitin expert notice the exposure in betimes January and so serve sustainer of the Apache Tomcat picture reference the topic . directly after world revelation of the Ghostcat job , GitHub apportion proofread of conception script [ 1 , 2 , 3 , 4 , 5 ] with various expert .