-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Jon,

On 5/18/20 18:37, jonmcalexan...@wellsfargo.com.INVALID wrote:
> -----Original Message----- From: Mark Thomas <ma...@apache.org>
> Sent: Monday, May 18, 2020 5:29 PM To: users@tomcat.apache.org
> Subject: Re: Tomcat and Qualsys QID: 87413
>
> On 18/05/2020 21:45, jonmcalexan...@wellsfargo.com.INVALID wrote:
>> I hate bringing up old crap, but I just want to make sure I have
>> everything covered on my end. As far as this QID, the dreaded
>> Ghost Cat, and AJP, is there ANY special AJP configuration that
>> should be done to make sure that this QID is mitigated for
>> Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations?
>
> <It depends. There are too many variables. A configuration that
> would be considered secure in one scenario may be considered
> insecure in another.
>
>> If you show us your AJP configuration (passwords, if any,
>> masked) we can figure out what questions to ask next.
>
>> Mark
>
> Thanks Mark.
>
> I'm not looking for anything specific, but more generic. I'm one of
> the guys that gets all the escalated support questions in the
> company in regards to anything Tomcat. This includes all these
> QID's, etc.. I just wanted some "best practice" information that I
> can dispense as potential ways for folks who need AJP to be able
> to resolve the QID vulnerability in their systems.
Generally, the advice is "secure your endpoints." If you aare already
protecting your endpoints -- whether they are HTTP or AJP -- then all
is well. If you are not currently using an AJP "secret" and you feel
like your endpoints are secure (as I do, since I use
client-authenticated stunnel for all AJP connections), then you can
set secretRequired="false" and be ready for an upgrade.

If nobody has ever taken a look at the security of their AJP
endpoints, maybe now is a good time to do that.

Remember:

1. AJP is not encrypted
2. AJP is not authenticated
3. Tomcat by default trusts information sent via AJP moreso than via
HTTP

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7GwXwACgkQHPApP6U8
pFg/fA//U/c1pVWqp74TaJs66NxW4b2xwGtJxXof6ISB69GBDJnYlpONAKMmgkzu
AmF+9AWl3P7K1sN+eQbMtV6qepJCZvsfC8owrOBOXHuAyXcMFZVAxavHhfOqTYqn
/QOGC4VsWTgih9I86Hka39PP6GHljx6U0gfkKRthZe6iGV3b6q2Xnc9y0Lzg15Hh
qJ2Sr3vU22hSyl6ngTp7mKQeiN6VNWNQHJVEFRX4xnz8duPwr8w6YHUNcx2Xv4LC
aKHp6FhfWHN5LfYlCWZ/iPr76EFus+F1rwq5LHQuVUFS4dydkpDW0VUTLE0+O319
PFqpKO9mRFy/IHiFLr8G8kIExTbEA0M5BuHClpSrc6a+U7QlJmyCXmVs5zu2ojSO
8FjiCpl9AFstqQzJ7CKCVZDWEL+jB4AFSvpv7ZuOjZVll77MshLb/994wHIb2qr2
CzzEXaKns3jUO8ZhVrHo0r7alsPwtN29BT5sHHeduWJZ+cb4pfg76u1DLSsDxJiz
UkZq2zWwhwf22ent7apYtCCV5cF95hXYmSV32PRfWP4NMIK3RKk7I3iNK25s5Pwu
bV2SDLLy+e6E/mSokrzlbBbwEk1jZp39Qn1loZMfO5OaD/u4ZB9l+noLdDRPbqT9
VqL6rTBHYxMiXL44QvKZeb3NHLZVSTs8seo9aKIBWF2iHyaikFc=
=x/4C
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to