You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/10 13:18:11 UTC

[ofbiz-framework] 01/04: Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 61ddf046a527be9e3c5a23cccae4a5959d607f47
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Feb 7 10:40:43 2022 +0100

    Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
    
    Explains that the current AJP config works only for localhost
---
 framework/catalina/ofbiz-component.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index c30f231..8b5c576 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -81,7 +81,8 @@ under the License.
                  This is in relation with 
                  https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
                  and
-                 https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors 
+                 https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+                 Long story short, with this configuration only locahost works...
             -->
             <!-- <property name="secretRequired" value="false"/>
             <property name="allowedRequestAttributesPattern" value=".*"/> -->