tomcat ajp (cve-2020-1938) – vendor patched immediately. problem resolved. Feb 2020

Preface: What is the best way for web server and the servlet container do a communications?

Technical details: The ajp13 protocol is packet-oriented. A binary format was presumably chosen over the more readable plain text for reasons of performance. It communication between the web server and the servlet container.

Vulnerability details: The vulnerability impact the Apache web server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE). Besides, a remote, unauthenticated attacker could exploit this vulnerability. The attacker is able to read web application files from a vulnerable server.

Remedy: If you cannot take further action in the moment.
You can choose to disable the AJP Connector directly. Please refer attached diagram. The versions of 9.0.31, 8.5.51, and 7.0.100 has remedy this vulnerability.