| 2020-03-01 12:47:11 |
Thomas |
bug |
|
|
added bug |
| 2020-03-01 12:48:00 |
Thomas |
tags |
|
focal |
|
| 2020-03-01 12:50:01 |
Thomas |
summary |
"secret" parameter not available in mod_proxy_ajp |
"secret" parameter not available in mod_proxy_ajp on focal |
|
| 2020-03-01 12:51:47 |
Thomas |
cve linked |
|
2020-1938 |
|
| 2020-03-01 12:55:36 |
Thomas |
description |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this *might* cause security issues.
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted in other ways, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector.
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
|
| 2020-03-01 13:32:38 |
Thomas |
description |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted in other ways, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector.
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted by other means, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector (obviously this always has been a good idea).
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
|
| 2020-03-02 06:19:47 |
Philipp Wendler |
bug |
|
|
added subscriber Philipp Wendler |
| 2020-03-04 21:45:16 |
Andreas Hasenack |
bug watch added |
|
https://bugzilla.redhat.com/show_bug.cgi?id=1397241 |
|
| 2020-03-04 21:45:20 |
Andreas Hasenack |
apache2 (Ubuntu): status |
New |
Triaged |
|
| 2020-03-04 21:45:29 |
Andreas Hasenack |
apache2 (Ubuntu): importance |
Undecided |
High |
|
| 2020-03-04 21:45:34 |
Andreas Hasenack |
tags |
focal |
focal server-next |
|
| 2020-03-05 18:51:43 |
Andreas Hasenack |
apache2 (Ubuntu): status |
Triaged |
In Progress |
|
| 2020-03-05 18:51:45 |
Andreas Hasenack |
apache2 (Ubuntu): assignee |
|
Andreas Hasenack (ahasenack) |
|
| 2020-03-05 21:11:39 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/380324 |
|
| 2020-03-07 08:14:19 |
Thomas |
description |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted by other means, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector (obviously this always has been a good idea).
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost:8009/ secret=secretkey
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted by other means, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector (obviously this always has been a good idea).
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. |
|
| 2020-03-07 12:38:18 |
Launchpad Janitor |
apache2 (Ubuntu): status |
In Progress |
Fix Released |
|
| 2020-07-17 20:11:20 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/387613 |
|
| 2020-07-21 13:23:59 |
Launchpad Janitor |
merge proposal unlinked |
https://code.launchpad.net/~ahasenack/ubuntu/+source/apache2/+git/apache2/+merge/387613 |
|
|
