Multiple Vulnerabilities in Red Hat Products Could Allow for Arbitrary File Reading
MS-ISAC ADVISORY NUMBER:2020-029
Multiple vulnerabilities have been discovered in Red Hat products, the most severe of which could allow for reading of arbitrary files on the affected system. If the server is running a web application that allows for file uploads, a remote file inclusion vulnerability becomes exploitable, which could allow for remote code execution. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If the application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights. Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files on the affected server or possibly execute code.
Proof-of-concept code has been released to GitHub by multiple security researchers.
- Red Hat JBoss Web Server (JWS) versions 3.1.7 and 5.2.0
- Red Hat JBoss Enterprise Application Platform (EAP) versions 6.x and 7.x
- Red Hat Enterprise Linux (RHEL) versions 5.x ELS, 6.x, 7.x, and 8.x (as pki-servlet-container, pki-servlet-engine in pki-deps module)
- Large and medium government entities: MEDIUM
- Small government entities: MEDIUM
- Large and medium business entities: MEDIUM
- Small business entities: MEDIUM
Multiple vulnerabilities have been discovered in Red Hat products, the most severe of which could allow for reading of arbitrary files on the affected system. CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. CVE-2020-1745 is a vulnerability very similar to CVE-2020-1938 but occurs in Apache Undertow. These vulnerabilities exists in the AJP protocol which is, by default, exposed over TCP port 8009 and enabled. An attacker with the ability to interact with the AJP protocol could exploit theses vulnerabilities using especially crafted packets and/or files. Successful exploitation of these vulnerabilities could allow an attacker to read arbitrary files on the affected server or, in the case where file upload functionality is enabled, possibly execute code.
We recommend the following actions be taken:
- Apply the mitigations provided by Red Hat after appropriate testing.
- If the AJP service is not required, disable it on the host.
- If the AJP service does not need to be publicly accessible, ensure that access is filtered.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Apply the Principle of Least Privilege to all systems and services.