Hi, we are using Tomcat 9.0.x and 8.5.x in our stack. We make use of the AJP protocol since we use Apache HTTPD as reverse proxy and found it to be mostly hazzle-free over the last few years, so we would like to continue using it. Since the HTTPD and the Tomcats are in general not on the same nodes, the AJP connector has to listen on all interfaces. My first question is: what value do I need to set in the "address" attribute to indicate that I want the connector to listen on ALL interfaces (for IPv4 AND IPv6)? Maybe that should be documented. :-) It is clear that the AJP ports should not be exposed to the end users (let alone the public internet ;-)) and we of course make sure that this is the case for our SaaS hosting, but on-premise customers tend to ignore the security guidelines we provide with our product and might have AJP connectors not firewalled off. So it could be that there are installations out there which have the AJP ports exposed. This leads me to trhe next question is about the fixes themselves. I checked the changelists mentioned on these pages: https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31 >From what I gathered, these changes only disable the AJP connector by default, >change the listining interface to loopback (from "all interfaces"), add a >feature to filter requests by request attributes and change the way the >optional secret used between HTTPD and Tomcat is configured. I could not see any changes that actually resolve the issue in the AJP connector's implementation that allow the exploit. So the question is: is the root cause actually fixed? Or will an AJP connector that is (perhaps by accident) exposed still be vulnerable to the vulnerability? If it is, what is the recommended mitigation? We consider using the "secret" feature (the filtering by request attributes is infeasible for us), but that would be a bit of effort and we are in a hurry. Regards JG
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
