GhostCat Vulnerability Affects Apache Tomcat Servers (Important to Act Now)
A vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because it has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.
This vulnerability got a bit "lost" between RSA and Coronavirus. It should have received much more attention as exploitation is under way. Multiple proof of concept exploits are available.
The exploit requires the AJP connector to be enabled and its port, often 8009, accessible. Apply updates to Tomcat where explicitly installed. Where Tomcat is bundled with applications, you'll need to wait for the supplier to provide an update. Mitigations include disabling AJP if you're not using the service, or restrict access to port 8009. If you are using it, enable the required Secret attribute to require authenticated connections.