[ofbiz-framework] 03/04: Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

Thu, 10 Feb 2022 05:18:40 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit ff5e4731098f4566f3a8f3af9e6376f75dc3b85d
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 10 07:33:52 2022 +0100

    Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 
(OFBIZ-12558)
    
    As reported by Michael, secretRequired value must be false because secret 
value
    is empty. Else a notifying message appears in log saying that AJP is not 
available.
    
    This uncomment out secretRequired, so its value is now false, and document 
more
    notably about that. I'll later add more information in the
    https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure wiki 
page
    
    Thanks: Michael for report
---
 README.adoc                            |  3 ++-
 framework/catalina/ofbiz-component.xml | 14 +++++++++-----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/README.adoc b/README.adoc
index 66db012..806fb2b 100644
--- a/README.adoc
+++ b/README.adoc
@@ -167,7 +167,8 @@ Once proper mitigations to the security issues are complete 
the OFBiz team will
 disclose this information to the public mailing list.
 * If you find a post-auth security issue, please 
https://s.apache.org/dsj2p[create a bug in our issue tracker (Jira)] .
 
-
+* If you want to use AJP on a non localhost OFBiz instance, you need to set 
the value of allowedRequestAttributesPattern
+in framework/catalina/ofbiz-component.xml
 
 You can find more information about security in OFBiz at
 https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure[Keeping 
OFBiz secure]
diff --git a/framework/catalina/ofbiz-component.xml 
b/framework/catalina/ofbiz-component.xml
index b63100f..b736370 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -75,17 +75,21 @@ under the License.
             <property name="URIEncoding" value="UTF-8"/>
             <property name="xpoweredBy" value="false"/>
             <!-- AJP/13 connector attributes -->
-            <!-- Despite OFBIZ-11407, the 2 values below are commented out 
because of OFBIZ-12558
-                 The Tomcat default values will be used as recommended by 
+            <!-- Despite OFBIZ-11407, allowedRequestAttributesPattern is 
commented out because of OFBIZ-12558
+                 OOTB the Tomcat default values should be used as recommended 
by 
                  
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
                  This is in relation with 
                  
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
                  and
                  
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
-                 Long story short, with this configuration only locahost 
works...
+                 But secretRequired value must be false because secret value 
is empty
+                 Else a notifying message appears in log saying that AJP is 
not available.
+                 
+                 Long story short, with this configuration only localhost 
works.
+                 So if you use it you need to use value/s
             -->
-            <!-- <property name="secretRequired" value="false"/>
-            <property name="allowedRequestAttributesPattern" value=".*"/> -->
+            <property name="secretRequired" value="false"/>
+            <!-- <property name="allowedRequestAttributesPattern" value=".*"/> 
-->
             <!-- commented out because the values match the Tomcat defaults:
             <property name="tomcatAuthentication" value="true"/>
             <property name="allowTrace" value="false"/>

Reply via email to