-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Dave,
On 3/4/20 05:45, Dave Ford wrote: > On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: >> >> If it is, what is the recommended mitigation? We consider using >> the "secret" feature (the filtering by request attributes is >> infeasible for us), but that would be a bit of effort and we are >> in a hurry. >> > > We're in the same position as you. External web servers talking > to Tomcat servers on other boxes via AJP. Are those connections properly secured? > We've looked at a few options, none of which seemed great: > > * The current stable version of Apache doesn't support the > 'secret' attribute for AJP connectors in mod_proxy. > > * Valves can be used to secure Tomcat from listening to certain > IPs Hostnames or subnets/vlans. But.... > > * The RemoteCIDRValve affects every protocol/port. * The > RemoteHostValve and RemoteAddrValve only allow a single allow or > deny rule, which needs a regexp to match every required > combinations of port and address/names for the whole of the desired > context. > > In ours case, we'd want to permit a different set of hosts on AJP > to those who can read the manager app, for instance. As this is > being managed by puppet at our end, we decided the required regexp > would be too complex and breakable and are probably going to > isolate the AJP traffic using a firewall rule via iptables instead > of relying on any intrinsic Tomcat feature. If your connections are properly-secured, simply set secretRequired="false" and move on. If they aren't properly-secured, then you need to fix that (and you had to fix that before this recent announcement). - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl5f8SoACgkQHPApP6U8 pFidVQ//TybnY3LaS8RfuNYx2to518gJBMg0YxO7a81GAP8hSl4cNi/d17HrU8UN sEiyoFLyFrtTUParyIimrHTzrlNjnL/SkbSZk2WsOXpmZ5zDreCDYrIkzreMavJ1 9PhzWUnGXpXvhkosyy25Xba3L/8aVpimqXp7dbyhzt1BiYpD/Ky6HS+AbIf2n2Y4 A+m4squvLkjw6hVt+cyP9bDi/JKdjKWoE70Yhp5o8FkmsZO+qd5Jc211HAnToJx9 LX/aq6RP89w5bNEi7lrcaelLLnWkdpulkXKNPaopK/i3YXbmmD7gd93oux5HXT/M Vi4y+aFZg29R+ujV8eN5g5f5u0Zi8SbvDr8e+P4fQEWNEkCkp0nlEqtKsmn9uA7m RH2VbI6l375iQMpbQK3P1A67CdnmdYlPqS5xT+BLXPFhGFUPadv3JW8WNKrZc5+H UQxQrBIlQ623PlJhkg/seGmLzSnhFUKI0SxdzChzDy3FMyniMNHazdLZoGShmNEs 0YTOqJMSyA4Dq7WBV8Fx4VRUp/gnYKqnUqaCvaHweUhhvYfEFDvDacLlJvqJxr6J rU0PbZKnqz6D7QR+BAlrebTta9df3hmOoPSNgnc6t63mrT4Ry4XspVm85YMl/7yU gc62x4cwCGxMpiBIGLd5zVzBcXvZ1An9aZZzqkor+DZ8Z1rGFIs= =fNQ0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
