Zero-day vulnerability allows remote code execution in Apache Tomcat APJ CNVD-2020-10487/CVE-2020-1938

A team of vulnerability testing specialists has revealed the discovery of a remote code execution vulnerability in the Apache Tomcat AJP connector, which communicates with the web connector using the AJP protocol.

According to the report, the vulnerability exists due to an incorrect validation on the Apache Tomcat AJP connector; a remote threat actor can send a specially designed AJP request to deliver a malicious payload and lead to arbitrary code execution on the target system. If successfully exploited, the flaw can lead to the total compromise of the attacked system, so the vulnerability testing experts consider it a critical flaw.

The vulnerability, tracked as CNVD-2020-10487/CVE-2020-1938, must be corrected immediately because, although there are no known cases of exploitation in the wild, it exposes vulnerable systems to major cybersecurity threats.

The flaw was detected by a group of vulnerability testing experts from a Chinese security firm, who sent the report, along with a proof of concept, to Apache Tomcat managers in a timely manner; security patches for this flaw are already available. There are no known workarounds at this time, so vulnerable deployment administrators are advised to upgrade as soon as possible.

This has been a complex start to the year for Apache Tomcat managers. A few weeks ago it was reported the finding of another vulnerability in the Apache Tomcat authentication process that gave threat actors the ability to deploy some attack variants. Although the researchers initially considered that the possibility of exploiting this flaw was very low, subsequent analyses modified the initial diagnosis, so the vulnerability, tracked as CVE-2019-17563, was reclassified as severe, forcing the release of emergency updates.

For more information on the most recently detected security flaws, exploits, cyberattacks, and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), as well as the official websites and forums of technology companies currently working to correct major information security threats.