Public bug reported: AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via ProxyPass / ajp://localhost:8009/ secret="secret_key" the following error appears in the service log: ProxyPass unknown Worker parameter Workaround: Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted in other ways, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector. Proposed fix: Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. ** Affects: apache2 (Ubuntu) Importance: Undecided Status: New ** Tags: focal ** Tags added: focal ** Summary changed: - "secret" parameter not available in mod_proxy_ajp + "secret" parameter not available in mod_proxy_ajp on focal ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1938 ** Description changed: AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this. Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via ProxyPass / ajp://localhost:8009/ secret="secret_key" the following error appears in the service log: ProxyPass unknown Worker parameter Workaround: Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to - CVE-2020-1938, so this *might* cause security issues. + CVE-2020-1938, so this might cause security issues. Access to port 8009 + *must* be restricted in other ways, e.g. by a firewall or by + 'address="127.0.0.1"' in the Connector. Proposed fix: Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865340 Title: "secret" parameter not available in mod_proxy_ajp on focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs