Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)

Hello Team, We received vulnerability alert from Security team for "Apache Tomcat AJP File Inclusion Vulnerability (unauthenticated check)" and for remediation they suggested to updated tomcat with latest version. Can you please help to resolve same without upgrading the existing version i.e

Re: mod_proxy_ajp equivalent for JK_LB_ACTIVATION?

Hi Chris, no, the status unfortunately is not available as an Apache env var. mod_proxy_ajp has a builtin provision for automatic env var forwarding: alle env vars named AJP_SOMETHING will be forwarded as request attribute SOMETHING. But I see no easy way of detecting drain mode and setting

Re: issue faced in tomcat 8.5.51

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 3/4/20 05:55, Dave Ford wrote: > On Fri, 2020-02-28 at 13:39 +, Rathore, Rajendra wrote: >> Caused by: java.lang.IllegalArgumentException: The AJP Connector >> is configured with secretRequired="true" but the secret attribute >> is either

mod_proxy_ajp equivalent for JK_LB_ACTIVATION?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, At $work, we use mod_jk for proxying and I'd like to move to mod_proxy_ajp with an eye toward moving to mod_proxy_http eventually. We use the JK_LB_ACTIVATION state to perform load-balanced node-draining[1] for maintenance and I'm trying to

Re: Tomcat won't use TLSv1.2

Am 06.03.20 um 15:41 schrieb Christopher Schultz: > Markus, > > On 3/5/20 13:44, i...@flyingfischer.ch wrote: > > Try SSLProtocol="TLSv1.2" (mind the case) instead of > > sslProtocol="-all +TLSv1.2". > > This is correct when using either OpenSSL or JSSE. "sslProtocol" will > only work for JSSE

Re: [semi-OT] tomcat 7.0.100 AJP connector with mod_jk on another host

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Thomas, On 3/4/20 19:37, Thomas Glanzmann wrote: > allowedRequestAttributesPattern=JK_LB_ACTIVATION Note that JK_LB_ACTIVATION is already in the list of white-listed attribute names. You should probably not have to set this configuration

Re: bind Tomcat to IPv4 and IPv6 loopback, Tomcat 9.0.31

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Piyush, On 3/5/20 14:40, Piyush Kumar Nayak wrote: > Thanks Mark, Two connector configs works. Any ideas, on why the > behavior if different for ISAPI and mod_jk modules? What do your configurations look like for each module? - -chris >

Re: Tomcat won't use TLSv1.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 3/5/20 13:30, rugman66 . wrote: > I have both Apache and Tomcat running on the same RHEL. I have > successfully configured Apache to use OpenSSL TLSv1.2, but I cannot > get Tomcat to use TLSv1.2. Tomcat for some reason > > will only use

Re: Tomcat won't use TLSv1.2

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Markus, On 3/5/20 13:44, i...@flyingfischer.ch wrote: > Try SSLProtocol="TLSv1.2" (mind the case) instead of > sslProtocol="-all +TLSv1.2". This is correct when using either OpenSSL or JSSE. "sslProtocol" will only work for JSSE configuration, and

Re: tomcat 7.0.100 AJP connector with mod_jk on another host

On 06/03/2020 06:46, Thomas Glanzmann wrote: > the issue seems to be that mod_jk no longer works without a password > with tomcat7. So you need to set a password on both sites, and than > everything works again. This is not the case. Tomcat can be configured so a secret is not required. >

RE: Tomcat won't use TLSv1.2

> . wrote: >>On 2020-03-05 at 23:10 rugman66 wrote: > On Thu, Mar 5, 2020 at 10:44 AM i...@flyingfischer.ch > wrote: >> Try SSLProtocol="TLSv1.2" (mind the case) instead of sslProtocol="-all >> +TLSv1.2". >> >> Had this issue too. The connector parameters for SSL are a huge mess and >> have