You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/10 13:18:11 UTC
[ofbiz-framework] 01/04: Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 61ddf046a527be9e3c5a23cccae4a5959d607f47
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Feb 7 10:40:43 2022 +0100
Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Explains that the current AJP config works only for localhost
---
framework/catalina/ofbiz-component.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index c30f231..8b5c576 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -81,7 +81,8 @@ under the License.
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
- https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+ https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+ Long story short, with this configuration only locahost works...
-->
<!-- <property name="secretRequired" value="false"/>
<property name="allowedRequestAttributesPattern" value=".*"/> -->