Unlock the Power of AI

1 million free tokens

88% Price Reduction

NaNDayNaN:NaN:NaN
Activate Now
Home PageServerless App EngineProduct OverviewAnnouncements and updatesAnnouncementsSecurity notices[SAE security vulnerability and solutions] Apache Tomcat AJP file read/inclusion vulnerability
Search for Help Content

[SAE security vulnerability and solutions] Apache Tomcat AJP file read/inclusion vulnerability

Updated at: 2025-02-28 06:33
Product
Community

Background information

Apache Tomcat is a servlet container developed by the Jakarta project, which is a part of the Apache Software Foundation. By default, Apache Tomcat uses Apache JServ Protocol (AJP) connectors to exchange data with other web servers.

Attackers can exploit the vulnerability of AJP connectors to read files such as Apache Tomcat from any webapp directory. This allows attackers to retrieve the configuration file or source code in any webapp directory. For applications where users can upload files, attackers can upload files that contain malicious Jakarta Server Pages (JSP) code to the server and exploit the vulnerability to initiate file inclusion attacks. This allows the attackers to implement remote code execution (RCE) and obtain permissions on the server. AJP is enabled by default and bound to the IP address 0.0.0.0 in Apache Tomcat. If AJP is disabled and inaccessible from the Internet over port 8009, this vulnerability poses low risks since SAE instances are deployed in virtual private clouds (VPCs).

Affected customers

  • Customers who used WAR packages to deploy applications in SAE.
  • Customers who used images to deploy applications in SAE and configured the Tomcat AJP connector in the Tomcat Server.xml file.

Solutions

  • Customers who used WAR packages to deploy applications in SAE must redeploy applications by calling API operations or using the SAE console.
  • Customers who used images to deploy applications in SAE must create new images by using a Tomcat version where the Tomcat AJP connector has been commented out. Then, customers can redeploy applications by using these images.

Vulnerability check

Use a webshell to log on to the container, find the tomcat conf directory and check whether the server.xml file contains the configuration of <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />.

  • If the configuration does not exist, the vulnerability has been fixed.
  • If the configuration exists, you need to fix the vulnerability. For more information about how to fix the vulnerability, see Solutions.
Previous: [Apache Dubbo security vulnerability] CVE-2021-43297: RCE vulnerability exists when Hessian catches serialization exceptionsNext: Billing
  • On this page (1, T)
  • Background information
  • Affected customers
  • Solutions
  • Vulnerability check
Feedback
phone Contact Us

Chat now with Alibaba Cloud Customer Service to assist you in finding the right products and services to meet your needs.

alicare alicarealicarealicare