AJP stands for Apache JServ Protocol and is a performance-optimized version of the HTTP protocol in binary format. Tomcat uses AJP to exchange data with nearby Apache HTTPD web servers or other Tomcat instances.
Tomcat's AJP connector is enabled by default on all Tomcat servers and listens on the server's port 8009.
Ghostcat can steal configs, plant backdoors
Chaitin researchers say they discovered a bug in AJP that can be exploited to either read or write files to a Tomcat server.
For example, hackers could read app configuration files and steal passwords or API tokens, or they could write files to a server, such as backdoors or web shells (the Ghostcat "write" attack is only possible if any app hosted on the Tomcat server allows users to upload files).
The Ghostcat vulnerability is extensive, to say the least. It impacts all 6.x, 7.x, 8.x, and 9.x Tomcat branches. Apache Tomcat 6.x was released in February 2007, meaning that all Tomcat versions released in the last 13 years should be considered open to attacks.
Chaitin researchers say they've found the bug in early January this year, and worked with the Apache Tomcat project to have patches ready before going public.
According to a BinaryEdge search, there are more than one million Tomcat servers currently available online.
Per Tenable, proof-of-concept code[1, 2, 3, 4, 5] for testing or launching Ghostcat attacks proliferated on GitHub after the bug's public disclosure last week.
According to Snyk, apps built on the Spring Boot Java framework are also vulnerable since they come with a pre-included Tomcat server. Per Red Hat, Tomcat also ships with other Java-based frameworks and servers, such as JBossWeb and JBoss EAP.
Red Hat recommends disabling the AJP connector in Tomcat if not used, or binding it to localhost port, since most of AJP's use is in cluster environments and the 8009 port should never be exposed on the internet without strict access-control lists.
What's in a name? These DevOps tools come with strange backstories