Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Apache

Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years (zdnet.com) 45

Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems. From a report: Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol. AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances. Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009. Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.
This discussion has been archived. No new comments can be posted.

Ghostcat Bug Impacts All Apache Tomcat Versions Released in the Last 13 Years

Comments Filter:
  • I think it is safe to asume that every piece of software contains bugs. Not all bugs are security risks and not all security risks are related to bugs. Most security risks are related to bad design.
    • Are you saying that a bug that allows unintended/unauthorised reading and writing of files on the server via HTTP doesn't count as a security risk?

    • by gweihir ( 88907 )

      I think it is safe to asume that every piece of software contains bugs. Not all bugs are security risks and not all security risks are related to bugs.
      Most security risks are related to bad design.

      I agree. And bad implementation. All security critical functionality should be designed and implemented with redundancies that prevent single bugs (or multiple bugs on very critical things) from breaking security. This approach is just part of sound engineering practices of having redundancies and quite standard in established engineering fields. Unfortunately, software engineering is not really an established engineering field yet, and still has far too many non-engineers (that have no real clue what they

    • Almost all software has bugs, amd then there's Tomcat, which is nothing but a pile of security bugs. I used to maintain a security exposure database. Tomcat has far more than its share of significant issues.

      • Good thing it's written in a safe language like Java (instead of a dangerous language like C) so it doesn't have security errors. If it were written in Rust it would be even safer.
      • by Anonymous Coward

        Tomcat is a god damned fortress compared to anything built with PHP.

        • PHP was really bad from 1994-2005.

          The team had an attitude change in 2005. That's now 15 years ago.

          • The existing "problem" with PHP has a few layers -

            First, there is a low barrier to entry. ionos.com/1and1.com can host you for a buck a month and give you a lamp stack. This means that it is quick and easy for inexperienced folks learning to code to start using it.

            Next,is that the search engines never forget and don't typically detract ranking from older content even with plenty of similar newer content. This means that when one of those new coders does a google/bing/duckduckgo/whatever search for "conne

      • I actually should have been more specific. While Tomcat itself has had several major vulnerabilities, it's most often used with Struts, and Struts is awful. The typical Struts-Tomcat stack will give me remote code execution pretty much every time.

    • i think its pretty much un-avoidable to have something that grows over years not to develop bugs , maybe the bug wasn't a bug until the hardware changed, maybe the bug wasn't a bug until the OS- changed or upgraded and maybe the bug isn't a bug in previous versions of either soft- os- or hardware ... hmh, the people i pay claim to stay on the 0day patches, the apache i have here doesn't connect to the internet and the machine that does has lighttpd and about zero sensitive info ... I feel more threatened b
  • So there is a ghost in the machine...

  • by Antique Geekmeister ( 740220 ) on Saturday February 29, 2020 @07:36AM (#59781412)

    I do note that people who insist that all hosts should be accessible inside of a network, and all devices should be exposed to the world as part of the Internet of Things, have environments that are very vulnerable to this sort of attack. Other personnel inside their networks may not even realize that they're running Tomcat, or that the attached storage device or firewall itself runse Tomcat, may not realize they're relying on Jetty or any of a dozen other web servers as part of their default setups, and they do not cooperate in implementing robust firewall rules that might help reduce the exposed vulnerability.

    It's a reason that one of my elementary security steps is segmenting web traffic. An internal network should be able to _reach_ port 8009 outbound, nor vice versa.

  • The exploit requires attackers to have access to the AJP port 8009, which is normally not accessible from the public Internet in proper setups.
  • I haven't used tomcat but a few times and I've only ever allowed 8080 and 8443 access from the net.
  • Feature not a bug (Score:5, Informative)

    by Martin S. ( 98249 ) on Saturday February 29, 2020 @08:58AM (#59781524) Journal

    This is a feature of Tomcat and it is working as expect, the issue here is the same kind of problem as leaving a default admin password in place. i.e. No competent deployment engineer would make this port 8009 active by mistake.

    https://tomcat.apache.org/tomc... [apache.org]

    • Yeah, even if you don't know that Tomcat listens on port 8009, you would still cut off all traffic to that port at the firewall.

      On the other hand, if I see a developer working with Tomcat at Starbucks, I might try to connect to their Tomcat.
    • by cusco ( 717999 )

      Unfortunately many IoT developers are great at writing software to make their hardware do things, but expecting them to also be experts in web site management, network management and security is stupid. My understanding is that Tomcat's memory footprint is small enough that it's popular on memory-limited devices, so it's probably deployed incorrectly on a gazillion field moisture monitors, sewer monitoring equipment, security cameras, alarm panels, etc.

Trap full -- please empty.

Working...