What is Ghostcat?
Logo by Chaitin Tech
CVE-2020-1938 is a file inclusion vulnerability within Tomcat, when using the AJP Connector. If the attacker has the ability to upload files into the document root, this can be used as part of attack chain to cause a Remote Code Execution (RCE).
The vulnerability was discovered by Chaitin Tech, and dubbed as Ghostcat. Affected Tomcat versions are outlined below.
Tomcat Version | Affected Release |
Apache Tomcat 9 | 9.0.30 and lower |
Apache Tomcat 8 | 8.5.50 and lower |
Apache Tomcat 7 | 7.0.99 and lower |
What Does This Mean for Yellowfin Users?
Keep in mind that Tomcat is installed with Yellowfin during your full installation. Yellowfin upgrades do not increment this Tomcat version. What this means is, whatever version of Tomcat we were shipping with at the time of your first installation will not have changed.
The good news is that Yellowfin does not enable the AJP Connector. In other words, unless you have explicitly altered the server.xml to enable this, you are not affected by Ghostcat. In order to verify this, edit your <YellowfinInstall>/appserver/conf/server.xml file and search for AJP. You should see a snippet as below.
<!-- Define an AJP 1.3 Connector on port 8009 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
This snippet was taken from a default installation of Yellowfin. You can see that the connector itself is commented out. You can verify the same within your configuration by searching for any active connectors that use the AJP protocol.
Wait, I Want Tomcat Upgraded!
This is definitely best practice. It's important to monitor Tomcat releases and upgrade this according to requirements or policy. Luckily, this can be done external to Yellowfin itself. This article details how to upgrade Tomcat, in order to keep up with security and bug fixes.
To summarize, typical Yellowfin installations are not affected by this listing. This should give Administrators adequate time to review the upgrade process. And as always, if you have any problems please let us know!