[ofbiz-framework] 03/04: Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 4bb37d795013090fa63de2db7385540a404a7278
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 10 07:33:52 2022 +0100

    Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 
(OFBIZ-12558)
    
    As reported by Michael, secretRequired value must be false because secret 
value
    is empty. Else a notifying message appears in log saying that AJP is not 
available.
    
    This uncomment out secretRequired, so its value is now false, and document 
more
    notably about that. I'll later add more information in the
    https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure wiki 
page
    
    Thanks: Michael for report
---
 README.adoc                            |  3 ++-
 framework/catalina/ofbiz-component.xml | 14 +++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/README.adoc b/README.adoc
index 039d1b5..965b7f0 100644
--- a/README.adoc
+++ b/README.adoc
@@ -167,7 +167,8 @@ Once proper mitigations to the security issues are complete 
the OFBiz team will
 disclose this information to the public mailing list.
 * If you find a post-auth security issue, please 
https://s.apache.org/dsj2p[create a bug in our issue tracker (Jira)] .
 
-
+* If you want to use AJP on a non localhost OFBiz instance, you need to set 
the value of allowedRequestAttributesPattern
+in framework/catalina/ofbiz-component.xml
 
 You can find more information about security in OFBiz at
 https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping 
OFBiz secure]
diff --git a/framework/catalina/ofbiz-component.xml 
b/framework/catalina/ofbiz-component.xml
index b63100f..b736370 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -75,17 +75,21 @@ under the License.
             <property name="URIEncoding" value="UTF-8"/>
             <property name="xpoweredBy" value="false"/>
             <!-- AJP/13 connector attributes -->
-            <!-- Despite OFBIZ-11407, the 2 values below are commented out 
because of OFBIZ-12558
-                 The Tomcat default values will be used as recommended by 
+            <!-- Despite OFBIZ-11407, allowedRequestAttributesPattern is 
commented out because of OFBIZ-12558
+                 OOTB the Tomcat default values should be used as recommended 
by 
                  
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
                  This is in relation with 
                  
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
                  and
                  
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
-                 Long story short, with this configuration only locahost 
works...
+                 But secretRequired value must be false because secret value 
is empty
+                 Else a notifying message appears in log saying that AJP is 
not available.
+                 
+                 Long story short, with this configuration only localhost 
works.
+                 So if you use it you need to use value/s
             -->
-            <!-- <property name="secretRequired" value="false"/>
-            <property name="allowedRequestAttributesPattern" value=".*"/> -->
+            <property name="secretRequired" value="false"/>
+            <!-- <property name="allowedRequestAttributesPattern" value=".*"/> 
-->
             <!-- commented out because the values match the Tomcat defaults:
             <property name="tomcatAuthentication" value="true"/>
             <property name="allowTrace" value="false"/>