Apache Tomcat servers released in the last 13 years are vulnerable to a bug named Ghostcat that can allow hackers to take over unpatched systems.

Discovered by Chinese cybersecurity firm Chaitin Tech, Ghostcat is a flaw in the Tomcat AJP protocol.

AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances.

Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009.

Ghostcat can steal configs, plant backdoors

Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.

For example, hackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells (the Ghostcat "write" attack is only possible if any app hosted on the Tomcat server allows users to upload files).

The Ghostcat vulnerability is extensive, to say the least. It impacts all 6.x, 7.x, 8.x, and 9.x Tomcat branches. Apache Tomcat 6.x was released in February 2007, meaning that all Tomcat versions released in the last 13 years should be considered open to attacks.

Chaitin researchers say they've found the bug in early January this year, and worked with the Apache Tomcat project to have patches ready before going public.

Fixes were released for Tomcat 7.x, Tomcat 8.x, and Tomcat 9.x branches, but not for the 6.x branch, which went into end-of-life in 2016. The Chaitin team also released an update to their XRAY tool so it can scan networks for the presence of vulnerable Tomcat servers.

Multiple demo exploits available on GitHub

The Ghostcat vulnerability identifiers are CVE-2020-1938 and CNVD-2020-10487 (used internally in China).

According to a BinaryEdge search, there are more than one million Tomcat servers currently available online.

Per Tenable, proof-of-concept code[1, 2, 3, 4, 5] for testing or launching Ghostcat attacks proliferated on GitHub after the bug's public disclosure last week.

According to Snyk, apps built on the Spring Boot Java framework are also vulnerable since they come with a pre-included Tomcat server. Per Red Hat, Tomcat also ships with other Java-based frameworks and servers, such as JBossWeb and JBoss EAP.

Red Hat recommends disabling the AJP connector in Tomcat if not used, or binding it to localhost port, since most of AJP's use is in cluster environments and the 8009 port should never be exposed on the internet without strict access-control lists.