CVE-2020-1938: 
Java vulnerability analysis and mitigation

CVE-2020-1938, also known as the Ghostcat vulnerability, was discovered in Apache Tomcat's Apache JServ Protocol (AJP) implementation. The vulnerability was disclosed on February 24, 2020, affecting Apache Tomcat versions 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99. The vulnerability exists in the AJP connector, which was enabled by default and listened on all configured IP addresses (NVD).

The vulnerability stems from Apache Tomcat treating AJP connections with higher trust than HTTP connections. When the AJP Connector is enabled, an attacker can exploit this to: 1) return arbitrary files from anywhere in the web application, and 2) process any file in the web application as a JSP. If the web application allows file upload or if the attacker can control web application content, this vulnerability could lead to remote code execution. The vulnerability received a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

Successful exploitation of this vulnerability could lead to unauthorized file access, information disclosure, and potential remote code execution if certain conditions are met. The attacker could read sensitive files within the web application scope and execute malicious code by processing uploaded files as JSP (NVD).

Users should upgrade to Apache Tomcat versions 9.0.31, 8.5.51, or 7.0.100 or later. If immediate upgrade is not possible, ensure the AJP port is not accessible to untrusted users. The fix includes changes to the default AJP Connector configuration to harden security. Users upgrading to the fixed versions may need to make small configuration changes (NVD).

The vulnerability received significant attention from the security community due to its critical severity and the widespread use of Apache Tomcat. Multiple vendors and Linux distributions issued security advisories and patches, including Red Hat, Debian, and Oracle (Oracle).