[ofbiz-framework] 01/04: Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

jleroux Thu, 10 Feb 2022 05:18:15 -0800

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


commit 61ddf046a527be9e3c5a23cccae4a5959d607f47
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Feb 7 10:40:43 2022 +0100

    Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 
(OFBIZ-12558)
    
    Explains that the current AJP config works only for localhost
---
 framework/catalina/ofbiz-component.xml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/framework/catalina/ofbiz-component.xml 
b/framework/catalina/ofbiz-component.xml
index c30f231..8b5c576 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -81,7 +81,8 @@ under the License.
                  This is in relation with 
                  
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
                  and
-                 
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors 
+                 
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+                 Long story short, with this configuration only locahost 
works...
             -->
             <!-- <property name="secretRequired" value="false"/>
             <property name="allowedRequestAttributesPattern" value=".*"/> -->

[ofbiz-framework] 01/04: Documented: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

Reply via email to