You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/02/05 11:22:00 UTC

[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)

    [ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487475#comment-17487475 ] 

Jacques Le Roux commented on OFBIZ-11848:
-----------------------------------------

Hi [~mbrohl],

This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern.

With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] you added allowedRequestAttributesPattern which is great.

For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")?

I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3].

The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course I we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml.

TIA

PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html


> Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
> -----------------------------------------------------
>
>                 Key: OFBIZ-11848
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11848
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: 17.12.03, Trunk, 18.12.01
>            Reporter: Michael Brohl
>            Assignee: Michael Brohl
>            Priority: Major
>             Fix For: Release Branch 17.12, 18.12.01
>
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html



--
This message was sent by Atlassian Jira
(v8.20.1#820001)