On Wed, Mar 04, 2020 at 06:48:40AM -0800, Ariel Lira (sedici.unlp.edu.ar) wrote: > Hi, recently a new Tomcat vulnerability called "ghostcat" came to light and > affects almost all tomcat releases, and because of that all dspace > installations. > > According to https://access.redhat.com/solutions/4851251 "The AJP protocol > is enabled by default, with the AJP connector listening in TCP port 8009 > and bound to IP address 0.0.0.0. A remote, unauthenticated/untrusted > attacker could exploit this AJP configuration to read web application files > from a server exposing the AJP port to untrusted clients. In instances
That may be true of the Red Hat packaging. Your distribution may be different. Gentoo ships Tomcat with the AJP connector commented out. The thing to do is check your own configuration to ensure that it is set up the way you need it, and no more, as with any network service. > where a poorly configured server allows file uploads, an attacker could > upload malicious JavaServer Pages (JSP) code within a variety of file types > to gain remote code execution (RCE).". > In short: tomcat AJP connector may allow unwanted access to files and > remote code execution (in particular scenarios) and it is exposed by > default in most tomcat servers. > > The bug was fixed in Apache Tomcat 9.0.31, 8.5.51, and 7.0.100, but if you > can't upgrade or if does not exist an upgrade for your tomcat version, you > can try at least some quick fixes: > > 1) disable AJP connector in server.xml (if you don't use a reverse proxy) > > <!-- <Connector protocol="AJP/1.3" port="8009" ... /> --> > > 2) Bind AJP connector to localhost interface so it can only be accessed > from the same host, or the one used by your reverse proxy: > > <Connector protocol="AJP/1.3" port="8009" address="localhost" .../> > > 3) filter/reject incoming traffic to port 8009 coming from the internet. > > Any correction or additional fixes are welcome. Thank you for reporting this. The fixed releases are not a drop-in fix. The fix is to secure the AJP connection by default, but this requires coordination with the proxy. If the connector's new 'secretRequired' property is set true (and this is the default) then Tomcat and proxy must share a secret which is configured with the connector's 'secret' property. I tried this out and couldn't get Apache HTTPD to cooperate. I'm told that the required proxy property was added in a version not yet released. So, for the time being, even with a fixed version of Tomcat you may still need to take some of the steps given above, and additionally disable the fix, if your proxy is not ready to use it. I would say that the quick fixes are how Tomcat should be configured anyway. AJP isn't meant to be public. BTW do not set 'secret' unless you mean to use it. I found out the hard way that Tomcat will check AJP traffic for the secret if it is defined, regardless of the value of 'secretRequired'. Even if you set 'secret=""' it will check each request for an empty secret. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu -- All messages to this mailing list should adhere to the DuraSpace Code of Conduct: https://duraspace.org/about/policies/code-of-conduct/ --- You received this message because you are subscribed to the Google Groups "DSpace Technical Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dspace-tech/20200304151857.GD18215%40IUPUI.Edu.
signature.asc
Description: PGP signature
