** Description changed: AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat). Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via - ProxyPass / ajp://localhost:8009/ secret="secret_key" + ProxyPass / ajp://localhost:8009/ secret=secretkey the following error appears in the service log: ProxyPass unknown Worker parameter Workaround: Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted by other means, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector (obviously this always has been a good idea). Proposed fix: Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1865340 Title: "secret" parameter not available in mod_proxy_ajp on focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
