[
https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17151031#comment-17151031
]
Michael Brohl commented on OFBIZ-11848:
---------------------------------------
I am proposing the following changes according to the migration guide
([https://tomcat.apache.org/migration-9.html#Upgrading_9.0.x)]
In 9.0.31 onwards, the default listen address of the AJP Connector was changed
to the loopback address rather than all addresses.
-> No change necessary in OFBiz, the specified address is 0.0.0.0.
In 9.0.31 onwards, the requiredSecret attribute of the AJP Connector was
deprecated and replaced by the secret attribute.
-> Proposed change: add property with empty value.
In 9.0.31 onwards, the secretRequired attribute was added to the AJP Connector.
If set to true, the default, the AJP Connector will not start unless a secret
has been specified.
-> Proposed change: set to false (default is true) to keep the older state.
In 9.0.31 onwards, the allowedRequestAttributesPattern attribute was added to
the AJP Connector. Requests with unrecognised attributes will now be blocked
with a 403.
-> Proposed change: add property with wildcard pattern set to ".*"
> Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
> -----------------------------------------------------
>
> Key: OFBIZ-11848
> URL: https://issues.apache.org/jira/browse/OFBIZ-11848
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: 18.12.01, 17.12.03, Trunk
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Major
> Fix For: 18.12.01, Release Branch 17.12, Upcoming Branch
>
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
