[ofbiz-framework] 01/02: Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

Thu, 10 Feb 2022 09:28:15 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 1878e99a7b50eb28fc8594be5a58d084d89812ff
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 10 17:21:22 2022 +0100

    Improved: Possible authenticated attack related to Tomcat CVE-2020-1938 
(OFBIZ-12558)
    
    Change a bit the documentation while workin on
    https://cwiki.apache.org/confluence/display/OFBIZ/Keeping+OFBiz+secure wiki 
page
---
 framework/catalina/ofbiz-component.xml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/framework/catalina/ofbiz-component.xml 
b/framework/catalina/ofbiz-component.xml
index b736370..c3712b7 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -76,17 +76,19 @@ under the License.
             <property name="xpoweredBy" value="false"/>
             <!-- AJP/13 connector attributes -->
             <!-- Despite OFBIZ-11407, allowedRequestAttributesPattern is 
commented out because of OFBIZ-12558
-                 OOTB the Tomcat default values should be used as recommended 
by 
+                 OOTB the Tomcat default values are used as recommended by 
                  
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
                  This is in relation with 
                  
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
                  and
                  
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
-                 But secretRequired value must be false because secret value 
is empty
+                 
+                 But OOTB secretRequired value must be false because secret 
value is empty
                  Else a notifying message appears in log saying that AJP is 
not available.
                  
-                 Long story short, with this configuration only localhost 
works.
-                 So if you use it you need to use value/s
+                 Long story short, with OOTB configuration only localhost 
works.
+                 So if you want to use AJP you need to set the values 
depending on your configuration.
+                 Using ".*" to allowedRequestAttributesPattern put you at risk.
             -->
             <property name="secretRequired" value="false"/>
             <!-- <property name="allowedRequestAttributesPattern" value=".*"/> 
-->

Reply via email to