enterprise-support team mailing list archive

Thread
Date

[Bug 1865340] [NEW] "secret" parameter not available in mod_proxy_ajp on focal

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Thomas <1865340@xxxxxxxxxxxxxxxxxx>
Date: Sun, 01 Mar 2020 12:47:11 -0000
Reply-to: Bug 1865340 <1865340@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely
CVE-2020-1938 (Ghostcat) is the reason for this.

Unfortunately, in Apache 2.4 this parameter is not available yet in the
stable version 2.4.41 (currently only in the development branch 2.5).
When setting the "secret" parameter via

ProxyPass / ajp://localhost:8009/ secret="secret_key"

the following error appears in the service log:

ProxyPass unknown Worker parameter

Workaround:

Use 'secretRequired="false"' in the "<Connector >" line on the tomcat
side. Caution: This workaround weakens security in relation to
CVE-2020-1938, so this might cause security issues. Access to port 8009
*must* be restricted in other ways, e.g. by a firewall or by
'address="127.0.0.1"' in the Connector.

Proposed fix:

Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise
users to create a reasonable secret.

** Affects: apache2 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: focal

** Tags added: focal

** Summary changed:

- "secret" parameter not available in mod_proxy_ajp
+ "secret" parameter not available in mod_proxy_ajp on focal

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-1938

** Description changed:

  AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely
  CVE-2020-1938 (Ghostcat) is the reason for this.
  
  Unfortunately, in Apache 2.4 this parameter is not available yet in the
  stable version 2.4.41 (currently only in the development branch 2.5).
  When setting the "secret" parameter via
  
  ProxyPass / ajp://localhost:8009/ secret="secret_key"
  
  the following error appears in the service log:
  
  ProxyPass unknown Worker parameter
  
  Workaround:
  
  Use 'secretRequired="false"' in the "<Connector >" line on the tomcat
  side. Caution: This workaround weakens security in relation to
- CVE-2020-1938, so this *might* cause security issues.
+ CVE-2020-1938, so this might cause security issues. Access to port 8009
+ *must* be restricted in other ways, e.g. by a firewall or by
+ 'address="127.0.0.1"' in the Connector.
  
  Proposed fix:
  
  Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise
  users to create a reasonable secret.

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to apache2 in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1865340

Title:
  "secret" parameter not available in mod_proxy_ajp on focal

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1865340/+subscriptions

Follow ups

[Bug 1865340] Re: "secret" parameter not available in mod_proxy_ajp on focal
From: Launchpad Bug Tracker, 2020-03-07