Today, sharing knowledge Tomcat burst of high-risk vulnerabilities and fix with you.
1 Tomcat burst of high-risk vulnerabilities and repair
1.1 Vulnerability background
2020 February 20, 360CERT monitoring found that the national information security vulnerabilities sharing platform (CNVD) contains CNVD-2020-10487 Apache Tomcat File Inclusion Vulnerabilities
Tomcat is the Apache Software Foundation Jakarta project under development Servlet container, in accordance with the technical specifications provided by Sun Microsystems, implemented support for Servlet and JavaServer Page (JSP) is. Because Tomcat itself contains the HTTP server, it can also be viewed as a separate Web server.
CNVD-2020-10487 / CVE-2020-1938 is a file that contains the vulnerability, an attacker could exploit this vulnerability comprise any files or read all the webapp directory Tomcat, such as: webapp profile, such as source code.
Version 1.2 affect
the Apache 9.x <Tomcat 9.0.31
the Apache Tomcat 8.x <8.5.51
the Apache Tomcat 7.x <7.0.100
the Apache Tomcat 6.x
1.3 vulnerability analysis
1.3.1 AJP Connector
the Apache server establishes a connection with the Tomcat client connected via Connector assembly, showing Connector endpoint receives the request and returns a response. Connector component that is responsible for receiving a client request, and sends the Tomcat server response result to the client. In the Apache Tomcat server, we usually use most of 8080, the so-called Http Connector, use Http (HTTP / 1.1) protocol
In the conf / server.xml file, the corresponding configuration is
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
And AJP Connector, it uses AJP protocol (Apache Jserv Protocol) is a packet oriented protocol. For performance reasons, to transfer text readability binary format, it can reduce the cost of processing the HTTP request, so the main cluster is required, the reverse proxy scenario is used.
Corresponding to the protocol configured Ajp
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Tomcat server default external network are two ways to open the port Tomcat Web client access server:
1.3.2 code analysis
place org.apache.coyote.ajp.AbstractAjpProcessor.java # prepareRequest major flaw location requests generated content in the process Ajp ()
here it is first determined SC_A_REQ_ATTRIBUTE, meaning that if the attribute Ajp not used in the above list, it proceeds to this condition.
SC_A_REQ_REMOTE_PORT corresponds AJP_REMOTE_PORT, here refers to the forwarding of the remote port, remote port Ajp13 not forwarded, but accept the forwarded data as a remote port.
So here we can Ajp set of specific properties, such as three package attributes may be set as the request object attribute Attribute
javax.servlet.include.request_uri
javax.servlet.include.path_info
javax.servlet.include.servlet_path
1.3.3 read any file
when the request is distributed to org.apache.catalina.servlets.DefaultServlet # serveResource () method
call getRelativePath method requires request_uri acquired is not null, then acquires from the request object and property values set pathInfo servletPath attribute value 
when seen getResource method then down, will path as a parameter, the source files to obtain
the vulnerability demo: file read /WEB-INF/web.xml
1.3.4 command execution
when the request processing jsp when the uri, calls org.apache.jasper.servlet.JspServlet # service ()
last will pathinfo to serviceJspFile process to resolve the jsp file, so when we can control the jsp files on the server, such as the existence jsp file upload, this time, it can cause rce
vulnerability demo: cause rce
1.4 suggested fix
The following update to the version of Tomcat:
Tomcat branch version number of
Tomcat 7 7.0.0100
Tomcat 8.5.51 8
Tomcat 9.0.31 9
the Apache Tomcat 6 has stopped maintenance, upgrade to the latest supported version of Tomcat so as not to suffer vulnerability.
Please customers always pay attention to Apache Tomcat® - Welcome to obtain the latest version of Tomcat Release, and apache / tomcat: Apache Tomcat obtain the latest version of git!.
1.5 associated space mapping data
1.6 product side solutions
1.6.1 360 city-level network security monitoring service
360 security QUAKE assets brain mapping platform, that type of vulnerability / event monitored through asset mapping techniques, please contact the user who is responsible for obtaining the relevant product area corresponding product.
1.6.2 360AISA full flow threat analysis system
360AISA based on 360 massive big data security model training and practical experience, the full flow threat detection, real-time precision attack alarms, reducing the attack chain. Currently the product with real-time detection capabilities of the vulnerability / attack.
About Tomcat burst high-risk vulnerabilities and repair, you learn how much? Comments are welcome in the comments area!
