Hi,
 
we are using Tomcat 9.0.x and 8.5.x in our stack. We make use of the AJP 
protocol since we use Apache HTTPD as reverse proxy and found it to be mostly 
hazzle-free over the last few years, so we would like to continue using it.
Since the HTTPD and the Tomcats are in general not on the same nodes, the AJP 
connector has to listen on all interfaces.
My first question is: what value do I need to set in the "address" attribute to 
indicate that I want the connector to listen on ALL interfaces (for IPv4 AND 
IPv6)? Maybe that should be documented. :-)
 
It is clear that the AJP ports should not be exposed to the end users (let 
alone the public internet ;-)) and we of course make sure that this is the case 
for our SaaS hosting, but on-premise customers tend to ignore the security 
guidelines we provide with our product and might have AJP connectors not 
firewalled off.
So it could be that there are installations out there which have the AJP ports 
exposed. 
 
This leads me to trhe next question is about the fixes themselves. I checked 
the changelists mentioned on these pages:
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
 
>From what I gathered, these changes only disable the AJP connector by default, 
>change the listining interface to loopback (from "all interfaces"), add a 
>feature to filter requests by request attributes and change the way the 
>optional secret used between HTTPD and Tomcat is configured.
I could not see any changes that actually resolve the issue in the AJP 
connector's implementation that allow the exploit. 
So the question is: is the root cause actually fixed? Or will an AJP connector 
that is (perhaps by accident) exposed still be vulnerable to the vulnerability?
 
If it is, what is the recommended mitigation? We consider using the "secret" 
feature (the filtering by request attributes is infeasible for us), but that 
would be a bit of effort and we are in a hurry.
 
Regards
 
JG
 

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to