Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to solve the Tomcat loophole". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to solve the Tomcat loophole.

Introduction of 1.Tomcat vulnerabilities

An open source implementation of Java Servlet,JavaServer page, Java expression language and Java's WebSocket technology using Apache Tomcat software. The Java Servlet,JavaServer Pages,Java Expression Language and Java WebSocket specifications are developed under Java Community Process.

Ah Fan believes that there are many versions of what you use now, from 7. 0 to the latest 10. 0, but now there is a major loophole in Tomcat. And this loophole involves a lot of versions.

The affected versions are:

Apache Tomcat 9.x

< 9.0.31 Apache Tomcat 8.x < 8.5.51 Apache Tomcat 7.x < 7.0.100 Apache Tomcat 6.x 也就是说此次受影响的版本包括：Tomcat 6，Tomcat 7的7.0.100以下版本，Tomcat 8的8.5.51以下版本，Tomcat 9的9.0.31以下版本。而阿粉线上的版本确实8.5.24，也在漏洞范围之内。 2020年1月6日，国家信息安全漏洞共享平台（CNVD）收录了由北京长亭科技有限公司发现并报送的Apache Tomcat文件包含漏洞（CNVD-2020-10487，对应CVE-2020-1938）。攻击者利用该漏洞，可在未授权的情况下远程读取特定目录下的任意文件。而 CNVD 也将此次漏洞定义为高危漏洞。 2.漏洞情况分析 从 CNVD 接收到长亭公司报送的Apache Tomcat文件包含漏洞开始，就开始了一轮的检测，经检测，Tomcat AJP协议由于存在实现缺陷导致相关参数可控，不得不说，这次漏洞攻击者利用该漏洞可通过构造特定参数，读取服务器webapp下的任意文件。若服务器端同时存在文件上传功能，攻击者可进一步实现远程代码的执行。 webapp 文件夹，相信大家是非常的熟悉，很多线上项目都是直接把自己本身的项目 War 包发布到 webapps 目录下，这样也就导致了大家的源码，如果有黑客把这个作为漏洞进行攻击的话，那么一定会获取到你们的项目源码，再通过一定的手段进行反编译，那么项目的内容将没有任何秘密可言了，想想多么可怕。 而他是通过什么来获取的，据悉，该漏洞被追踪为CVE-2020-1938，位于Apache Tomcat软件的AJP协议中，允许未经身份验证的黑客远程访问服务器上部署的应用程序和源代码文件。 既然漏洞是位于 AJP 协议中，那么我们首先得了解一下什么是 AJP 协议。 AJP协议 AJP（Apache JServ Protocol）是定向包协议。因为性能原因，使用二进制格式来传输可读性文本。WEB服务器通过 TCP连接 和 SERVLET容器连接。这是百度百科，也就是官方的解释，那么在 Tomcat 中 AJP 协议又是在哪些地方上呢？ 阿粉相信大家都改过 Tomcat 的端口号吧，比如8080 改成 8088，然后8009改成 8099 这种的，但是大家有没有仔细的去看 server.xml 文件里面的注释呢？

In the image above, it is obvious that this is based on the Connector of HTTP 1.1, and this Connector is simply a connector, with which Tomcat can become a web server, but can also handle Servlet and jsp.

Then look at the picture below and pay attention to the notes.

The literal translation of the sentence "Define an AJP1.3 Connector on port 8009" means that the AJP1.3 connector is defined on port 8009, that is, the port is based on the AJP protocol, but many people know the HTTP protocol because of the existence of port 8080, while AJP1.3 's Connector based on the AJP protocol uses the AJP protocol, which uses the binary format to transmit readable text.

If you are really interested in the AJP protocol, then you can go to the official website of Tomcat to have a look at [https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html], which contains the design objectives of the AJP protocol, an overview, and some requests, and so on.

3. What should we do with the loophole? The easiest way is to change the version of Tomcat, that is, if you don't use AJP Tomcat, you can directly upgrade Tomcat to version 9.0.31, 8.5.51 or 7.0.100 to fix the bug.

If the version update cannot be carried out immediately, or for users of older versions, it is recommended to turn off AJPConnector directly or change its listening address to listen only to native localhost.

Specific operations:

Edit the / conf/server.xml under the tomcat directory and find the following line:

Comment out this line directly and OK it. After saving it, you need to restart it before the rule can take effect.

If Tomcat AJP protocol is used: it is recommended that you upgrade Tomcat to version 9.0.31, 8.5.51 or 7.0.100 immediately for repair, and configure secret for AJP Connector to set the authentication credentials of AJP protocol. For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value that is highly secure and cannot be easily guessed):

If the version cannot be updated immediately, or if it is an older version of the user, it is recommended to configure requiredSecret for AJP Connector to set AJP protocol authentication credentials.

At this point, I believe you have a deeper understanding of "how to solve Tomcat loopholes". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.