Apache Tomcat AJP Request Injection and Potential Remote Code Execution Vulnerability

A vulnerability has been identified in Apache Tomcat that allows for AJP request injection and potential remote code execution. This issue affects Apache Tomcat versions 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50, and 7.0.0 to 7.0.99. The vulnerability arises because Tomcat AJP connectors, which are enabled by default and listen on all IP addresses, are treated with higher trust than HTTP connections. If an AJP port is accessible to untrusted users, an attacker can exploit this to bypass security checks, authentication, and execute arbitrary files as JSPs, potentially leading to remote code execution.

Impact

Exploitation of this vulnerability allows for AJP request injection, arbitrary file read and inclusion, processing of files as JSPs, and potentially remote code execution if certain conditions are met.

Reproduction

To reproduce this vulnerability, ensure that an AJP connector is enabled and listening on a public IP address. This can be done by default in Tomcat versions prior to the fix. Once the AJP connector is exposed to an untrusted network, the vulnerability can be exploited by sending crafted AJP requests that exploit the trust relationship AJP has with Tomcat.

Remediation

Users can upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. After upgrading, it is recommended to review the AJP connector configuration, as the default settings have changed to enhance security. If AJP is not needed, the connector can be disabled.