[ofbiz-framework] 02/02: Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

Fri, 04 Feb 2022 03:32:09 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 5b1843f1c068b93d928420c80c1a8301990ef580
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Fri Feb 4 12:28:47 2022 +0100

    Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 
(OFBIZ-12558)
    
    Despite OFBIZ-11407, the 2 values secretRequired and especially
    allowedRequestAttributesPattern are commented out because of OFBIZ-12558
    
    The Tomcat default values will be used as recommended by
    https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
    This is in relation with
    https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
    and
    https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
    
    Thanks: Lion Tree for report
---
 framework/catalina/ofbiz-component.xml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/framework/catalina/ofbiz-component.xml 
b/framework/catalina/ofbiz-component.xml
index b323ebb..a06eddc 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -74,9 +74,17 @@ under the License.
             <property name="secure" value="false"/>
             <property name="URIEncoding" value="UTF-8"/>
             <property name="xpoweredBy" value="false"/>
-            <property name="secretRequired" value="false"/>
-            <property name="allowedRequestAttributesPattern" value=".*"/>
             <!-- AJP/13 connector attributes -->
+            <!-- Despite OFBIZ-11407, the 2 values below are commented out 
because of OFBIZ-12558
+                 The Tomcat default values will be used as recommended by 
+                 
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
+                 This is in relation with 
+                 
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
+                 and
+                 
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors 
+            -->
+            <!-- <property name="secretRequired" value="false"/>
+            <property name="allowedRequestAttributesPattern" value=".*"/> -->
             <!-- commented out because the values match the Tomcat defaults:
             <property name="tomcatAuthentication" value="true"/>
             <property name="allowTrace" value="false"/>

Reply via email to