Re: Aw: Re: Fix for the Ghostcat vulnerability

2020-03-05 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jürgen, On 3/5/20 01:59, "Jürgen Göres" wrote: > > Hi, > >>> If it is, what is the recommended mitigation? We consider using >>> the "secret" feature (the filtering by request attributes is >>> infeasible for us), but that would be a bit of effort a

Re: Fix for the Ghostcat vulnerability

2020-03-05 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dave, On 3/5/20 06:21, Dave Ford wrote: > On Wed, 2020-03-04 at 13:19 -0500, Christopher Schultz wrote: >> >>> We're in the same position as you. External web servers >>> talking to Tomcat servers on other boxes via AJP. >> >> Are those connections

Re: Fix for the Ghostcat vulnerability

2020-03-05 Thread Martin Grigorov
Hi Dave, On Thu, Mar 5, 2020 at 1:22 PM Dave Ford wrote: > On Wed, 2020-03-04 at 13:19 -0500, Christopher Schultz wrote: > > > > > We're in the same position as you. External web servers talking > > > to Tomcat servers on other boxes via AJP. > > > > Are those connections properly secured? > >

Re: Fix for the Ghostcat vulnerability

2020-03-05 Thread Dave Ford
On Wed, 2020-03-04 at 13:19 -0500, Christopher Schultz wrote: > > > We're in the same position as you. External web servers talking > > to Tomcat servers on other boxes via AJP. > > Are those connections properly secured? That's not a tremendously helpful question. Which connections are you ta

Aw: Re: Fix for the Ghostcat vulnerability

2020-03-04 Thread Jürgen Göres
Hi,   >> If it is, what is the recommended mitigation? We consider using the >> "secret" feature (the filtering by request attributes is infeasible >> for us), but that would be a bit of effort and we are in a hurry. >> > >We're in the same position as you. External web servers talking to >Tomcat

Re: Fix for the Ghostcat vulnerability

2020-03-04 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dave, On 3/4/20 05:45, Dave Ford wrote: > On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: >> >> If it is, what is the recommended mitigation? We consider using >> the "secret" feature (the filtering by request attributes is >> infeasible for

Re: Fix for the Ghostcat vulnerability

2020-03-04 Thread Dave Ford
On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: > > If it is, what is the recommended mitigation? We consider using the > "secret" feature (the filtering by request attributes is infeasible > for us), but that would be a bit of effort and we are in a hurry. > We're in the same position as

Fix for the Ghostcat vulnerability

2020-03-04 Thread Jürgen Göres
Hi,   we are using Tomcat 9.0.x and 8.5.x in our stack. We make use of the AJP protocol since we use Apache HTTPD as reverse proxy and found it to be mostly hazzle-free over the last few years, so we would like to continue using it. Since the HTTPD and the Tomcats are in general not on the same n