-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Jon,
On 5/18/20 18:37, jonmcalexan...@wellsfargo.com.INVALID wrote: > -----Original Message----- From: Mark Thomas <ma...@apache.org> > Sent: Monday, May 18, 2020 5:29 PM To: users@tomcat.apache.org > Subject: Re: Tomcat and Qualsys QID: 87413 > > On 18/05/2020 21:45, jonmcalexan...@wellsfargo.com.INVALID wrote: >> I hate bringing up old crap, but I just want to make sure I have >> everything covered on my end. As far as this QID, the dreaded >> Ghost Cat, and AJP, is there ANY special AJP configuration that >> should be done to make sure that this QID is mitigated for >> Tomcat 7.0.103, 8.5.53, and 9.0.33 and above configurations? > > <It depends. There are too many variables. A configuration that > would be considered secure in one scenario may be considered > insecure in another. > >> If you show us your AJP configuration (passwords, if any, >> masked) we can figure out what questions to ask next. > >> Mark > > Thanks Mark. > > I'm not looking for anything specific, but more generic. I'm one of > the guys that gets all the escalated support questions in the > company in regards to anything Tomcat. This includes all these > QID's, etc.. I just wanted some "best practice" information that I > can dispense as potential ways for folks who need AJP to be able > to resolve the QID vulnerability in their systems. Generally, the advice is "secure your endpoints." If you aare already protecting your endpoints -- whether they are HTTP or AJP -- then all is well. If you are not currently using an AJP "secret" and you feel like your endpoints are secure (as I do, since I use client-authenticated stunnel for all AJP connections), then you can set secretRequired="false" and be ready for an upgrade. If nobody has ever taken a look at the security of their AJP endpoints, maybe now is a good time to do that. Remember: 1. AJP is not encrypted 2. AJP is not authenticated 3. Tomcat by default trusts information sent via AJP moreso than via HTTP Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7GwXwACgkQHPApP6U8 pFg/fA//U/c1pVWqp74TaJs66NxW4b2xwGtJxXof6ISB69GBDJnYlpONAKMmgkzu AmF+9AWl3P7K1sN+eQbMtV6qepJCZvsfC8owrOBOXHuAyXcMFZVAxavHhfOqTYqn /QOGC4VsWTgih9I86Hka39PP6GHljx6U0gfkKRthZe6iGV3b6q2Xnc9y0Lzg15Hh qJ2Sr3vU22hSyl6ngTp7mKQeiN6VNWNQHJVEFRX4xnz8duPwr8w6YHUNcx2Xv4LC aKHp6FhfWHN5LfYlCWZ/iPr76EFus+F1rwq5LHQuVUFS4dydkpDW0VUTLE0+O319 PFqpKO9mRFy/IHiFLr8G8kIExTbEA0M5BuHClpSrc6a+U7QlJmyCXmVs5zu2ojSO 8FjiCpl9AFstqQzJ7CKCVZDWEL+jB4AFSvpv7ZuOjZVll77MshLb/994wHIb2qr2 CzzEXaKns3jUO8ZhVrHo0r7alsPwtN29BT5sHHeduWJZ+cb4pfg76u1DLSsDxJiz UkZq2zWwhwf22ent7apYtCCV5cF95hXYmSV32PRfWP4NMIK3RKk7I3iNK25s5Pwu bV2SDLLy+e6E/mSokrzlbBbwEk1jZp39Qn1loZMfO5OaD/u4ZB9l+noLdDRPbqT9 VqL6rTBHYxMiXL44QvKZeb3NHLZVSTs8seo9aKIBWF2iHyaikFc= =x/4C -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org