Bug#952437: tomcat9: vulnerable for "ghostcat", CVE-2020-1938 / CNVD-2020-10487
Joost van Baal-Ilić
joostvb+debian-bugs at uvt.nl
Mon Feb 24 13:32:00 GMT 2020
Package: tomcat9
Version: 9.0.16-4
Severity: important
Hi,
tomcat9, as shipped with Debian buster/stable is vulnerable for "ghostcat",
see https://www.chaitin.cn/en/ghostcat . PoC exploit code has been published.
Specifically, Apache Tomcat 9.x < 9.0.31 is vulnerable. Upstream has published
9.0.31 to fix this vulnerability (and other issues, see
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html ).
Tomcat as shipped by Debian is likely not vulnerable from the network in the
default configuration, since by default Tomcat AJP Connector only listens on
localhost:8009, not on *:8009 .
See also:
https://security-tracker.debian.org/tracker/CVE-2020-1938
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487
https://www.cnvd.org.cn/webinfo/show/5415 (in chinese)
Bye,
Joost
More information about the pkg-java-maintainers
mailing list