Bug#952436: tomcat7: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487
Joost van Baal-Ilić
joostvb+debian-bugs at uvt.nl
Mon Feb 24 13:24:41 GMT 2020
Package: tomcat7
Version: 7.0.56-3+really7.0.99-1
Severity: important
Hi,
tomcat7, as shipped with Debian jessie/oldoldstable (and 8 and 9) are
vulnerable for "ghostcat", see https://www.chaitin.cn/en/ghostcat . PoC
exploit code has been published. Specifically,
Apache Tomcat 9.x < 9.0.31
Apache Tomcat 8.x < 8.5.51
Apache Tomcat 7.x < 7.0.100
are vulnerable. Upstream has published 9.0.31, 8.5.51, and 7.0.100 to fix this
vulnerability (and other issues).
Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .
See also:
https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)
Bye,
Joost
More information about the pkg-java-maintainers
mailing list