You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/10 13:18:13 UTC
[ofbiz-framework] 03/04: Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit dcb348e5b63fa27c6769fb4920411adf581b4534
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Thu Feb 10 07:33:52 2022 +0100
Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
As reported by Michael, secretRequired value must be false because secret value
is empty. Else a notifying message appears in log saying that AJP is not available.
This uncomment out secretRequired, so its value is now false, and document more
notably about that. I'll later add more information in the
https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure wiki page
Thanks: Michael for report
---
README.adoc | 3 ++-
framework/catalina/ofbiz-component.xml | 14 +++++++++-----
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/README.adoc b/README.adoc
index 48a4c9e..0eb2f47 100644
--- a/README.adoc
+++ b/README.adoc
@@ -167,7 +167,8 @@ Once proper mitigations to the security issues are complete the OFBiz team will
disclose this information to the public mailing list.
* If you find a post-auth security issue, please https://s.apache.org/dsj2p[create a bug in our issue tracker (Jira)] .
-
+* If you want to use AJP on a non localhost OFBiz instance, you need to set the value of allowedRequestAttributesPattern
+in framework/catalina/ofbiz-component.xml
You can find more information about security in OFBiz at
https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping OFBiz secure]
diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index 8b5c576..85dc5cc 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -75,17 +75,21 @@ under the License.
<property name="URIEncoding" value="UTF-8"/>
<property name="xpoweredBy" value="false"/>
<!-- AJP/13 connector attributes -->
- <!-- Despite OFBIZ-11407, the 2 values below are commented out because of OFBIZ-12558
- The Tomcat default values will be used as recommended by
+ <!-- Despite OFBIZ-11407, allowedRequestAttributesPattern is commented out because of OFBIZ-12558
+ OOTB the Tomcat default values should be used as recommended by
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
- Long story short, with this configuration only locahost works...
+ But secretRequired value must be false because secret value is empty
+ Else a notifying message appears in log saying that AJP is not available.
+
+ Long story short, with this configuration only localhost works.
+ So if you use it you need to use value/s
-->
- <!-- <property name="secretRequired" value="false"/>
- <property name="allowedRequestAttributesPattern" value=".*"/> -->
+ <property name="secretRequired" value="false"/>
+ <!-- <property name="allowedRequestAttributesPattern" value=".*"/> -->
<!-- commented out because the values match the Tomcat defaults:
<property name="tomcatAuthentication" value="true"/>
<property name="allowTrace" value="false"/>