When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Geode
APPApache1.12.0Apache Tomcat
APPApache7.0.0 – 7.0.100 (bez)8.5.0 – 8.5.51 (bez)9.0.0 – 9.0.31 (bez)Blackberry Good Control
APPBlackberry≤ 5.2.58.38Blackberry Workspaces Server
APPBlackberry7.0.17.1.28.1.09.0Debian
OSDebian10.08.09.0Fedora Project Fedora
OSFedoraproject303132Netapp Data Availability Services
APPNetappwszystkie wersjeNetapp Oncommand System Manager
APPNetapp3.0.0 – 3.1.3Opensuse Leap
OSOpensuse15.1Oracle Agile Engineering Data Management
APPOracle6.2.1.0Oracle Agile Plm
APPOracle9.3.39.3.59.3.6Oracle Communications Element Manager
APPOracle8.1.18.2.08.2.1Oracle Communications Instant Messaging Server
APPOracle10.0.1.4.0Oracle Health Sciences Empirica Inspections
APPOracle1.0.1.2Oracle Health Sciences Empirica Signal
APPOracle7.3.3Oracle Hospitality Guest Access
APPOracle4.2.04.2.1Oracle Instantis Enterprisetrack
APPOracle17.1 – 17.3Oracle MySQL Enterprise Monitor
APPOracle8.0.0 – 8.0.20≤ 4.0.12Oracle Siebel Ui Framework
APPOracle≤ 20.5Oracle Transportation Management
APPOracle6.3.7Oracle Workload Manager
APPOracle12.2.0.118c19c
CISA KEV — detailsi
- Vendori
- Apache ↗
- Producti
- Tomcat
- Added to KEVi
- March 3, 2022
- Remediation deadline (US Federal)i
- March 17, 2022(overdue)
Apply updates per vendor instructions.
Apache Tomcat treats Apache JServ Protocol (AJP) connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited.
Related vulnerabilities
GNU Inetutils telnetd: ominięcie uwierzytelnienia przez zmienną USER
Sudo: eskalacja uprawnień do root poprzez opcję --chroot (CVE-2025-32463)
RCE przez deserializację PHP w Roundcube Webmail (parametr _from)
Erlang/OTP SSH — nieuwierzytelniony RCE (CVSS 10.0)
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki