By default, Apache Tomcat uses Apache JServ Protocol (AJP) connectors. Attackers can use the AJP connectors to read data from files in the webapp directory of Apache Tomcat. This poses a potential risk. The topic describes how to fix this vulnerability.

Background information

Apache Tomcat is a Servlet container developed by the Jakarta project, which is a part of the Apache Software Foundation. By default, Apache Tomcat uses AJP connectors to exchange data with other web servers.

However, AJP has a vulnerability. Attackers can exploit this vulnerability to read data from the webapp directory of Apache Tomcat. This allows attackers to retrieve the configuration file or source code in the webapp directory. For applications where users can upload files, attackers can upload files that contain malicious Jakarta Server Pages (JSP) scripts to the server and exploit the vulnerability to initiate file inclusion attacks. This allows the attackers to remotely acquire permissions on the server. Attackers can exploit this vulnerability only if the AJP service is enabled and the service port is exposed. By default, Apache Tomcat enables the AJP service and sets the IP address to 0.0.0.0.

Impacts

  • This vulnerability does not affect applications that are deployed in Elastic Compute Service (ECS) clusters or deployed by using JAR packages.
  • This vulnerability poses security threats to applications that are deployed in Kubernetes clusters by using WAR packages. You must fix this vulnerability at the earliest opportunity.
  • This vulnerability poses security threats to Kubernetes clusters that are created from images and have Tomcat AJP Connector enabled in the Tomcat Server.xml configuration file. You must fix this vulnerability at the earliest opportunity.

Fixes

  • If your application is deployed in a Kubernetes cluster by using a WAR package, redeploy the application in the Enterprise Distributed Application Service (EDAS) console or by calling API operations.
  • If your Kubernetes cluster managed by EDAS is created from an image, use a Tomcat version that has commented out Tomcat AJP Connector to create an image. Then, use the image to redeploy the application.

Vulnerability check

Use a webshell to log on to the container, find the tomcat conf directory and check whether the server.xml file contains the <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> setting.

  • If this setting does not exist, it indicates that the vulnerability has been fixed.
  • If this setting still exists, the vulnerability is not fixed. You must fix it at the earliest opportunity. For more information, see Fixes.