Critical Vulnerability in Apache Tomcat (CVE-2020-1938)

Published on 02 Mar 2020

Updated on 05 Mar 2020

Apache has released Tomcat versions 9.0.31, 8.5.51, and 7.0.100 to address a critical vulnerability (CVE-2020-1938).

This vulnerability exists due to a bug in the Apache JServ Protocol (AJP). Successful exploitation of this vulnerability could allow an attacker to read the content of any file on a vulnerable web server and steal sensitive information, or execute arbitrary code if the server allows file uploads.

Users and system administrators of affected products are advised to install the latest security updates immediately.

Users and system administrators of Apache Tomcat 6, which had reached its end-of-life in 2016, are advised to upgrade to the latest version of the software as soon as possible.

More information is available here:
https://nvd.nist.gov/vuln/detail/CVE-2020-1938
https://www.chaitin.cn/en/ghostcat
https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
https://securityboulevard.com/2020/02/patch-your-tomcat-and-jboss-instances-to-protect-from-ghostcat-vulnerability-cve-2020-1938-and/