[
https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487475#comment-17487475
]
Jacques Le Roux commented on OFBIZ-11848:
-----------------------------------------
Hi [~mbrohl],
This discussion is about OFBIZ-12558 and what to put into
allowedRequestAttributesPattern.
With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca
commit|https://github.com/apache/ofbiz-framework/commit/b791dca] you added
allowedRequestAttributesPattern which is great.
For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has
now the Tomcat default value, which is null. So it's the same situation than
before your b791dca commit. My question is: what issue/s did you cross that
leaded you to change for all possibilitites (ie ".*")?
I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20)
the demos were running (they were down for security reason between 2020-08-11
and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I
checked, I found nothing AJP special in the [then HTTPD
config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3].
The demos are still down and I don't want to put all the necessary to test them
by my own locally. But I'd like to be sure the Tomcat default value (null) will
not block them when they will, hopefully soon, be back. And of course I we need
to set the best possible value or clearly explain to our users in
https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml.
TIA
PS: For those interested the possible values for
allowedRequestAttributesPattern are defined at
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html
> Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
> -----------------------------------------------------
>
> Key: OFBIZ-11848
> URL: https://issues.apache.org/jira/browse/OFBIZ-11848
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: 17.12.03, Trunk, 18.12.01
> Reporter: Michael Brohl
> Assignee: Michael Brohl
> Priority: Major
> Fix For: Release Branch 17.12, 18.12.01
>
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
