** Description changed: AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely - CVE-2020-1938 (Ghostcat) is the reason for this. + this change was triggered by CVE-2020-1938 (Ghostcat). Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via ProxyPass / ajp://localhost:8009/ secret="secret_key" the following error appears in the service log: ProxyPass unknown Worker parameter Workaround: Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 - *must* be restricted in other ways, e.g. by a firewall or by - 'address="127.0.0.1"' in the Connector. + *must* be restricted by other means, e.g. by a firewall or by + 'address="127.0.0.1"' in the Connector (obviously this always has been a + good idea). Proposed fix: Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865340 Title: "secret" parameter not available in mod_proxy_ajp on focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
