How to deal with TOMCAT CVE-2020-1938: Ghostcat (AJP)

[jamiejackson]

When working with a recent snapshot/RC (5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk), I saw some oddities in my logs:

 NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
 org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
 org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
 org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
 org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.15.0-88-generic
 org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
 org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
 org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
 org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4096m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
 org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
 org.apache.catalina.startup.Catalina.load Server initialization in [5,640] milliseconds
 org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
 org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
 WARNING: An illegal reflective access operation has occurred
 WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
 WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
 WARNING: All illegal access operations will be denied in a future release
 12-Mar-2020 17:40:14.774 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
 12-Mar-2020 17:40:14.871 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]
    org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
    Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
        at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
        ... 12 more
 org.apache.catalina.startup.Catalina.start Server startup in [14,192] milliseconds
 org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["ajp-nio-8009"]
 org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8888"]
 12-Mar-2020 17:40:34.595 SEVERE [http-nio-8888-exec-10] org.apache.coyote.http11.Http11Processor.service Error processing request
    java.lang.NullPointerException
        at org.apache.coyote.http11.Http11OutputBuffer.commit(Http11OutputBuffer.java:306)
        at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:986)
        at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:369)
        at org.apache.coyote.Response.action(Response.java:211)
        at org.apache.coyote.Response.sendHeaders(Response.java:437)
        at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:281)
        at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:241)
        at org.apache.catalina.connector.Response.finishResponse(Response.java:441)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:374)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1839)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
 org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-8009"]
 org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-8009"]
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set

Here's the bit I'm looking into: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

That led me here: https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp

I haven't gone completely down the rabbit hole yet, but a few things:

• Does this matter if I have a secondary web server (HTTPD) out front proxying requests to my lucee service? That's my situation now. (But I have pretty imminent plans to use an official Lucee image that bundles nginx because I'm tired of the hassle of keeping them separate, so I'll soon need to know about that paradigm, too.)
• If it turns out that a secret is necessary, we should build some capability into the image to handle the plumbing (rather than requiring users to hand-roll xml patching routines).

Thoughts?

[jamiejackson]

I'm just using mod_proxy, so I don't seem to need AJP, but I haven't figured out how to get rid of that error in the logs yet.

[andreasRu]

What happens if you try setting secretRequired="false" in tomcats connector tag for ajp inside server.xml?

[jamiejackson]

RUN sed \
    -i 's~\(<Connector [^\>]*AJP/.*\)\( />\)~ \1 secretRequired="false" \2 ~' \
    '/usr/local/tomcat/conf/server.xml'

Yields:

 NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
 org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
 org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
 org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
 org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.15.0-88-generic
 org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
 org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
 org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
 org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4096m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
 org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
 org.apache.catalina.startup.Catalina.load Server initialization in [5,086] milliseconds
 org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
13-Mar-2020 08:45:22.247 WARNING [main] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [112] milliseconds.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
13-Mar-2020 08:45:32.658 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
13-Mar-2020 08:45:32.759 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
13-Mar-2020 08:45:32.854 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [12,610] milliseconds
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set
 13-Mar-2020 08:45:47.918 INFO [Thread-6] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-nio-8888"]
 13-Mar-2020 08:45:47.944 INFO [Thread-6] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
 13-Mar-2020 08:45:47.967 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:48.973 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:50.041 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:50.641 SEVERE [http-nio-8888-exec-7] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [CFMLServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
    java.lang.ClassNotFoundException: Unable to load class 'lucee.extension.io.cache.redis.RedisCacheItem' because the bundle wiring for ${bundlename} is no longer valid.
        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1562)
        at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79)
        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
        at lucee.extension.io.cache.redis.RedisCache.getCacheEntry(RedisCache.java:64)
        at lucee.extension.io.cache.redis.RedisCache.getValue(RedisCache.java:84)
        at lucee.extension.io.cache.redis.RedisCache.getValue(RedisCache.java:100)
        at lucee.runtime.type.scope.storage.IKHandlerCache.store(IKHandlerCache.java:51)
        at lucee.runtime.type.scope.storage.IKStorageScopeSupport.store(IKStorageScopeSupport.java:448)
        at lucee.runtime.type.scope.storage.IKStorageScopeSupport.touchAfterRequest(IKStorageScopeSupport.java:273)
        at lucee.runtime.PageContextImpl.release(PageContextImpl.java:537)
        at lucee.runtime.CFMLFactoryImpl.releaseLuceePageContext(CFMLFactoryImpl.java:204)
        at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1144)
        at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1072)
        at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
        at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.filters.RemoteIpFilter.doFilter(RemoteIpFilter.java:904)
        at org.apache.catalina.filters.RemoteIpFilter.doFilter(RemoteIpFilter.java:961)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
 13-Mar-2020 08:45:55.726 INFO [Thread-6] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8888"]
 13-Mar-2020 08:45:55.756 INFO [Thread-6] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8888"]
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set

AJP part:

 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]

So no more error, but is that the right solution? Ideally, wouldn't I want AJP disabled instead?

[andreasRu]

As far as I can recall, Tomcat is now distributing with AJP disconnected, that means that the connector tag is set as comment. I couldn't check your code, but are you sure you are commenting connector ajp tag correctly in syntax?

[jamiejackson]

Hmm, maybe something went wrong with my previous experiment, because I think it's working:

docker run --rm  lucee/lucee:5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk bash -c ' \
  sed  -i "s+\(<Connector [^\>]*AJP/[^>]*>\)+<!-- TOMCAT CVE-2020-1938: Ghostcat (AJP) \1 -->+" /usr/local/tomcat/conf/server.xml \
  && grep CVE /usr/local/tomcat/conf/server.xml \
  && catalina.sh run\
'

Yields:

    <!-- TOMCAT CVE-2020-1938: Ghostcat (AJP) <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
13-Mar-2020 16:46:58.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
13-Mar-2020 16:46:58.779 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
13-Mar-2020 16:46:58.781 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
13-Mar-2020 16:46:58.784 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
13-Mar-2020 16:46:58.786 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.19.76-linuxkit
13-Mar-2020 16:46:58.792 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
13-Mar-2020 16:46:58.795 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
13-Mar-2020 16:46:58.796 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
13-Mar-2020 16:46:58.797 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
13-Mar-2020 16:46:58.799 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
13-Mar-2020 16:46:58.801 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
13-Mar-2020 16:46:58.848 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
13-Mar-2020 16:46:58.853 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
13-Mar-2020 16:46:58.855 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
13-Mar-2020 16:46:58.856 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
13-Mar-2020 16:46:58.859 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
13-Mar-2020 16:46:58.860 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
13-Mar-2020 16:46:58.861 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
13-Mar-2020 16:46:58.862 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
13-Mar-2020 16:46:58.863 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms64m
13-Mar-2020 16:46:58.864 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512m
13-Mar-2020 16:46:58.866 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
13-Mar-2020 16:46:58.867 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
13-Mar-2020 16:46:58.868 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
13-Mar-2020 16:46:58.869 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
13-Mar-2020 16:46:58.871 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
13-Mar-2020 16:46:58.873 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
13-Mar-2020 16:46:58.874 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Mar-2020 16:46:58.875 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
13-Mar-2020 16:46:58.897 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
13-Mar-2020 16:47:00.133 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
13-Mar-2020 16:47:00.281 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2,671] milliseconds
13-Mar-2020 16:47:00.458 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
13-Mar-2020 16:47:00.462 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
13.03.2020 16:47:04,460 ERROR [server.application] application->no password set and no password file found at [/opt/lucee/server/lucee-server/context/password.txt]
13-Mar-2020 16:47:05.864 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
13-Mar-2020 16:47:05.913 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [5,627] milliseconds

[andreasRu]

Great!!! You are making progress!!! Now you only need to setup a password.txt file with a password for lucee admin inside tomcats lucee-server folder and you should be ready to go!

[jamiejackson]

Yup, that's just a stock image to keep things simple.

So is this already solved for the lucee-*-nginx images or is there still work to be done there?

Also, I'm wondering if the AJP option should be controlled a bit better in the image (maybe via an env var, e.g., TOMCAT_PROXY_PROTOCOL which does the grunt work for you). If not, then I'd suggest documenting it, or maybe starting a cookbook of container recipes.

I just hate to see anybody else spending cycles on things that other people have solved.

[carehart]

This issue remains in Feb 2021. I can confirm a couple of things:

• the lack of a secret on ajp connector element still causes that error, even in the latest Lucee Docker image's version, 5.3.7.47
• many using the Lucee Docker image wouldn't be using ajp at all. It's not needed if accessing the container via the default 8888 port (the Tomcat web server), nor if using the nginx version of the Lucee image (and its default port 80). Neither of those use ajp.
• the ajp connector would only be needed if someone was going to connect to Lucee via Apache or IIS and its ajp connector (which one could do, if running a Windows host with IIS even with the Lucee container running in Linux)
• and not only do those using the nginx variant of the image not need AJP, someone could connect to the base image also from other web servers by way of port forwarding, whether using traefik or haproxy (as well as nginx or apache, and so on), just as is true for connect to Tomcat or ACF. So the need for the AJP connector at all in the Lucee docker image may be rather limited
• in fact, if someone DID want to want to use AJP from Apache (such as with Boncode), they would have to modify this server.xml file and the ajp connector line anyway, to implement a secret attribute/value (with that value matched in the web server configuration), as well as possibly address and allowedRequestAttributesPattern attributes (see https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html)

As for solving things:

• Andreas wondered in Mar 2020 if the ajp connector element would be disabled (commented out) by default in vanilla Tomcat. But again, in the server.xml that comes with the Lucee image, the connector element IS enabled
• the sed command Jamie offered does work to comment out the ajp connector line in the server.xml, whether one does it in the docker run like he showed, or if one did it in a dockerfile that modified the based Lucee image
• all that said, it would seem the simplest solution would be for this to be corrected in the original Lucee image. Given what I've shared above, can anyone think why the connector xml line needs to enabled by default?

[isapir]

I didn't read the whole discussion, so pardon me if I missed something important, but RE:

all that said, it would seem the simplest solution would be for this to be corrected in the original Lucee image. Given what I've shared above, can anyone think why the connector xml line needs to enabled by default?

There is no reason, and it shouldn't be enabled.

If you look for example, in my project for creating Lucee Docker Images, it is commented out: https://github.com/isapir/lucee-docker/blob/master/resources/catalina-base/conf/server.xml#L116

[justincarter]

It's commented out now in the latest release (5.3.8.189)