You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/02/04 11:32:00 UTC

[jira] [Commented] (OFBIZ-12558) Possible authenticated attack related to Tomcat CVE-2020-1938

    [ https://issues.apache.org/jira/browse/OFBIZ-12558?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487021#comment-17487021 ] 

ASF subversion and git services commented on OFBIZ-12558:
---------------------------------------------------------

Commit 4ab4b15ade3fb544de25d259123c0ec2c5ce9df7 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=4ab4b15 ]

Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

Despite OFBIZ-11407, the 2 values secretRequired and especially
allowedRequestAttributesPattern are commented out because of OFBIZ-12558

The Tomcat default values will be used as recommended by
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors

Thanks: Lion Tree for report

Conflicts handled by hand in framework/catalina/ofbiz-component.xml


> Possible authenticated attack related to Tomcat CVE-2020-1938
> -------------------------------------------------------------
>
>                 Key: OFBIZ-12558
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12558
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: 18.12.05, Upcoming Branch
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> Lion Tree <li...@gmail.com> has reported us that "CVE-2020-1938 is not fully fixed". 
> Though it was fixed by OFBIZ-11407, it still possible for an authenticated user to upload a webshell included in an image using one of the OFBiz upload possibilities. That of course is not new and already covered by OFBIZ-12080 "Secure the uploads", but was still incomplete.
> So this Jira covers 2 points:
> # Disable bypass of Tomcat due to setting in framework/catalina/ofbiz-component.xml
> # Enforce upload prevention of webshells, specifically but not only those included in images 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)