Results 1 to 6 of 6

Thread: Mitigation Tomcat CVE-2020-1938

  1. #1
    Join Date
    Mar 2020
    Beans
    3

    Question Mitigation Tomcat CVE-2020-1938

    Mitigation Tomcat CVE-2020-1938


    • Operative System: Ubuntu Server 18.04.4 LTS
    • Apache Version: 2.4.29-1ubuntu4.12
    • Apache Tomcat: 8.5.39-1ubuntu1~18.04.3
    • Apache Mod JK: 1:1.2.43-1


    First of all I read many technical document from Debian/Ubuntu and Redhat, in theory if the firewall is enable and not let out the port 8009, the vulnerability is mitigated.

    But as we use AJP, we prefer enable the mitigation through password too.

    I test the mitigation in Windows Servers with the same version of apache, tomcat and mod_jk and works, but when I test the same config in Ubuntu Server, the comunication between apache and tomcat trought AJP not happen.




    The trace of error in Mod JK is this:

    Code:
    [Tue Mar 03 16:11:18.102 2020] [28055:139750426003200] [info] jk_open_socket::jk_connect.c (817): connect to ::1:8009 failed (errno=111)
        [Tue Mar 03 16:11:18.102 2020] [28055:139750426003200] [info] ajp_connect_to_endpoint::jk_ajp_common.c (1068): (ajp13_worker) Failed opening socket to (::1:8009) (errno=111)
        [Tue Mar 03 16:11:18.102 2020] [28055:139750426003200] [error] ajp_send_request::jk_ajp_common.c (1728): (ajp13_worker) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
        [Tue Mar 03 16:11:18.102 2020] [28055:139750426003200] [info] ajp_service::jk_ajp_common.c (2778): (ajp13_worker) sending request to tomcat failed (recoverable), because of error during request sending (attempt=1)
        [Tue Mar 03 16:11:18.202 2020] [28055:139750426003200] [info] jk_open_socket::jk_connect.c (817): connect to ::1:8009 failed (errno=111)
        [Tue Mar 03 16:11:18.202 2020] [28055:139750426003200] [info] ajp_connect_to_endpoint::jk_ajp_common.c (1068): (ajp13_worker) Failed opening socket to (::1:8009) (errno=111)
        [Tue Mar 03 16:11:18.202 2020] [28055:139750426003200] [error] ajp_send_request::jk_ajp_common.c (1728): (ajp13_worker) connecting to backend failed. Tomcat is probably not started or is listening on the wrong port (errno=111)
        [Tue Mar 03 16:11:18.202 2020] [28055:139750426003200] [info] ajp_service::jk_ajp_common.c (2778): (ajp13_worker) sending request to tomcat failed (recoverable), because of error during request sending (attempt=2)
        [Tue Mar 03 16:11:18.202 2020] [28055:139750426003200] [error] ajp_service::jk_ajp_common.c (2799): (ajp13_worker) connecting to tomcat failed (rc=-3, errors=3, client_errors=0).
        [Tue Mar 03 16:11:18.203 2020] [28055:139750426003200] [info] jk_handler::mod_jk.c (2995): Service error=-3 for worker=ajp13_worker

    Document for mitigation link.


    Resume of task made:

    Modify server.xml

    Code:
     <Connector port="8009" 
                protocol="AJP/1.3" 
                redirectPort="8443"
                requiredSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" />
    Workers.properties

    Code:
        workers.tomcat_home=/usr/share/tomcat8
        
        workers.java_home=/usr/lib/jvm/default-java
        
        ps=/
        
        worker.list=ajp13_worker
        
        worker.ajp13_worker.port=8009
        worker.ajp13_worker.host=localhost
        worker.ajp13_worker.type=ajp13
        #worker.ajp13_worker.secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        
        worker.ajp13_worker.lbfactor=1
        
        worker.loadbalancer.type=lb
        worker.loadbalancer.balance_workers=ajp13_worker
        #worker.loadbalancer.secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        
        # configure jk-status
        #worker.list=jk-status
        #worker.jk-status.type=status
        #worker.jk-status.read_only=true
        # configure jk-manager
        #worker.list=jk-manager
        #worker.jk-manager.type=status

    What could be my error?

    I thank you for any help you can give me on the subject.

  2. #2
    Join Date
    Sep 2014
    Location
    United States
    Beans
    160
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Mitigation Tomcat CVE-2020-1938

    So you are blocking port 8009 but expecting it to communicate with your localhost?

    You'd need to specify that you're allowing for localhost but blocking for all others.

    https://serverfault.com/questions/24...calhost-access

    This may be easier to do in a gui on Windows. I don't know. I don't administrate Windows.

  3. #3
    Join Date
    Mar 2020
    Beans
    3

    Re: Mitigation Tomcat CVE-2020-1938

    Hi

    Port 8009 is closed at the server level with ufw. Since Tomcat and Apache are on the same server, they can communicate perfectly with each other at the localhost level.

    The security recommendation is to put a password to the AJP service, in order to mitigate the vulnerability; this until a version of tomcat that has the patch of the higher corrected versions is released.

    If we had the Apache and Tomcat services on separate servers it would still be more urgent to enable mitigation.

    According to the National Vulnerability Database documentation,
    Ubuntu and Debian, it is urgent to patch it but for the affected versions there is no solution yet in Debian and Ubuntu.

    I know how to mitigate (I tested in windows servers and works), but if I enable it on ubuntu server, the service start without problem apparently, but the mod_jk not link with the AJP service of tomcat.

    See the attached links.

    National Vulnerability Database CVE-20201938
    Debian Security Tracker CVE-2020-1938
    Ubuntu Security CVE-20201938
    Last edited by andresgt2000; 2 Weeks Ago at 12:31 AM.

  4. #4
    Join Date
    Sep 2014
    Location
    United States
    Beans
    160
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Mitigation Tomcat CVE-2020-1938

    Yes, I understand. UFW will block the entire port, and you will not be able to communicate with localhost. You will need to adjust the rule with IPTables.

    Delete the rule from UFW and follow the steps in the post I submitted. If you're unfamiliar with how iptables work, I recommend doing a quick study on YouTube or however you learn the best.

  5. #5
    Join Date
    Mar 2020
    Beans
    3

    Re: Mitigation Tomcat CVE-2020-1938

    Hi EuclideanCoffee

    First of all thank you for your answers.

    I test open the port 8009 in the ufw and uncomment the config of server.xml and worker.xml. The services work without issues.

    Then I delete rule 8009 from ufw (the communication of services are on the loopback level), and the services continue work without issues.

    To ensure that configuration on Tomcat AJP was correct; we comment the secret of the worker.xml and restart the apache service.

    The result of the before change, as we spected, was that the communication of apache was rejected by tomcat because the worker not have the credentials. Then we rollback the change and restart apache and the communication worked again.

    I could not replicate the issue again; the only thing that I did today was a upgrade the kernel and restart the server, and enable the tomcat managers access in the context.xml.

    So all I can says is that the issue is solved, but I am not sure why it happened.

    "Start-Date: 2020-03-16 09:21:51
    Commandline: apt full-upgrade -y
    Requested-By: administrator (1000)
    Install: linux-modules-extra-4.15.0-91-generic:amd64 (4.15.0-91.92, automatic), linux-image-4.15.0-91-generic:amd64 (4.15.0-91.92, automatic), linux-headers-4.15.0-91:amd64 (4.15.0-91.92, automatic), linux-modules-4.15.0-91-generic:amd64 (4.15.0-91.92, automatic), linux-headers-4.15.0-91-generic:amd64 (4.15.0-91.92, automatic)
    Upgrade: linux-headers-generic:amd64 (4.15.0.88.80, 4.15.0.91.83), linux-image-generic:amd64 (4.15.0.88.80, 4.15.0.91.83), linux-generic:amd64 (4.15.0.88.80, 4.15.0.91.83)
    End-Date: 2020-03-16 09:23:02"

  6. #6
    Join Date
    Sep 2014
    Location
    United States
    Beans
    160
    Distro
    Ubuntu 18.04 Bionic Beaver

    Re: Mitigation Tomcat CVE-2020-1938

    It is the UFW rule, friend. lol. Glad it worked.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •