lucee / lucee-dockerfiles

Official Lucee Dockerfiles for Docker Hub build images
https://hub.docker.com/u/lucee/
MIT License
85 stars 50 forks source link

How to deal with TOMCAT CVE-2020-1938: Ghostcat (AJP) #61

Closed jamiejackson closed 3 years ago

jamiejackson commented 4 years ago

When working with a recent snapshot/RC (5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk), I saw some oddities in my logs:

 NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
 org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
 org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
 org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
 org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.15.0-88-generic
 org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
 org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
 org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
 org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4096m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
 org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
 org.apache.catalina.startup.Catalina.load Server initialization in [5,640] milliseconds
 org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
 org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
 WARNING: An illegal reflective access operation has occurred
 WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
 WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
 WARNING: All illegal access operations will be denied in a future release
 12-Mar-2020 17:40:14.774 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
 12-Mar-2020 17:40:14.871 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]
    org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
    Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
        at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
        ... 12 more
 org.apache.catalina.startup.Catalina.start Server startup in [14,192] milliseconds
 org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["ajp-nio-8009"]
 org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8888"]
 12-Mar-2020 17:40:34.595 SEVERE [http-nio-8888-exec-10] org.apache.coyote.http11.Http11Processor.service Error processing request
    java.lang.NullPointerException
        at org.apache.coyote.http11.Http11OutputBuffer.commit(Http11OutputBuffer.java:306)
        at org.apache.coyote.http11.Http11Processor.prepareResponse(Http11Processor.java:986)
        at org.apache.coyote.AbstractProcessor.action(AbstractProcessor.java:369)
        at org.apache.coyote.Response.action(Response.java:211)
        at org.apache.coyote.Response.sendHeaders(Response.java:437)
        at org.apache.catalina.connector.OutputBuffer.doFlush(OutputBuffer.java:281)
        at org.apache.catalina.connector.OutputBuffer.close(OutputBuffer.java:241)
        at org.apache.catalina.connector.Response.finishResponse(Response.java:441)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:374)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:836)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1839)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
 org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["ajp-nio-8009"]
 org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["ajp-nio-8009"]
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set

Here's the bit I'm looking into: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

That led me here: https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp

I haven't gone completely down the rabbit hole yet, but a few things:

Thoughts?

jamiejackson commented 4 years ago

I'm just using mod_proxy, so I don't seem to need AJP, but I haven't figured out how to get rid of that error in the logs yet.

andreasRu commented 4 years ago

What happens if you try setting secretRequired="false" in tomcats connector tag for ajp inside server.xml?

jamiejackson commented 4 years ago
RUN sed \
    -i 's~\(<Connector [^\>]*AJP/.*\)\( />\)~ \1 secretRequired="false" \2 ~' \
    '/usr/local/tomcat/conf/server.xml'

Yields:

 NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
 org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
 org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
 org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
 org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.15.0-88-generic
 org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
 org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
 org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
 org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms512m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx4096m
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
 org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
 org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
 org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
 org.apache.catalina.startup.Catalina.load Server initialization in [5,086] milliseconds
 org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
13-Mar-2020 08:45:22.247 WARNING [main] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [112] milliseconds.
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
13-Mar-2020 08:45:32.658 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
13-Mar-2020 08:45:32.759 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
13-Mar-2020 08:45:32.854 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [12,610] milliseconds
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set
 13-Mar-2020 08:45:47.918 INFO [Thread-6] org.apache.coyote.AbstractProtocol.pause Pausing ProtocolHandler ["http-nio-8888"]
 13-Mar-2020 08:45:47.944 INFO [Thread-6] org.apache.catalina.core.StandardService.stopInternal Stopping service [Catalina]
 13-Mar-2020 08:45:47.967 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:48.973 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:50.041 INFO [Thread-6] org.apache.catalina.core.StandardWrapper.unload Waiting for [1] instance(s) to be deallocated for Servlet [CFMLServlet]
 13-Mar-2020 08:45:50.641 SEVERE [http-nio-8888-exec-7] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [CFMLServlet] in context with path [] threw exception [Servlet execution threw an exception] with root cause
    java.lang.ClassNotFoundException: Unable to load class 'lucee.extension.io.cache.redis.RedisCacheItem' because the bundle wiring for ${bundlename} is no longer valid.
        at org.apache.felix.framework.BundleWiringImpl.findClassOrResourceByDelegation(BundleWiringImpl.java:1562)
        at org.apache.felix.framework.BundleWiringImpl.access$300(BundleWiringImpl.java:79)
        at org.apache.felix.framework.BundleWiringImpl$BundleClassLoader.loadClass(BundleWiringImpl.java:1982)
        at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521)
        at lucee.extension.io.cache.redis.RedisCache.getCacheEntry(RedisCache.java:64)
        at lucee.extension.io.cache.redis.RedisCache.getValue(RedisCache.java:84)
        at lucee.extension.io.cache.redis.RedisCache.getValue(RedisCache.java:100)
        at lucee.runtime.type.scope.storage.IKHandlerCache.store(IKHandlerCache.java:51)
        at lucee.runtime.type.scope.storage.IKStorageScopeSupport.store(IKStorageScopeSupport.java:448)
        at lucee.runtime.type.scope.storage.IKStorageScopeSupport.touchAfterRequest(IKStorageScopeSupport.java:273)
        at lucee.runtime.PageContextImpl.release(PageContextImpl.java:537)
        at lucee.runtime.CFMLFactoryImpl.releaseLuceePageContext(CFMLFactoryImpl.java:204)
        at lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1144)
        at lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1072)
        at lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:97)
        at lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.filters.RemoteIpFilter.doFilter(RemoteIpFilter.java:904)
        at org.apache.catalina.filters.RemoteIpFilter.doFilter(RemoteIpFilter.java:961)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:688)
        at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1639)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.base/java.lang.Thread.run(Thread.java:834)
 13-Mar-2020 08:45:55.726 INFO [Thread-6] org.apache.coyote.AbstractProtocol.stop Stopping ProtocolHandler ["http-nio-8888"]
 13-Mar-2020 08:45:55.756 INFO [Thread-6] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-8888"]
 System property [org.owasp.esapi.opsteam] is not set
 System property [org.owasp.esapi.devteam] is not set

AJP part:

 org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]

So no more error, but is that the right solution? Ideally, wouldn't I want AJP disabled instead?

andreasRu commented 4 years ago

As far as I can recall, Tomcat is now distributing with AJP disconnected, that means that the connector tag is set as comment. I couldn't check your code, but are you sure you are commenting connector ajp tag correctly in syntax?

jamiejackson commented 4 years ago

Hmm, maybe something went wrong with my previous experiment, because I think it's working:

docker run --rm  lucee/lucee:5.3.5.80-SNAPSHOT-tomcat9.0-jdk11-openjdk bash -c ' \
  sed  -i "s+\(<Connector [^\>]*AJP/[^>]*>\)+<!-- TOMCAT CVE-2020-1938: Ghostcat (AJP) \1 -->+" /usr/local/tomcat/conf/server.xml \
  && grep CVE /usr/local/tomcat/conf/server.xml \
  && catalina.sh run\
'

Yields:

    <!-- TOMCAT CVE-2020-1938: Ghostcat (AJP) <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
13-Mar-2020 16:46:58.766 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.31
13-Mar-2020 16:46:58.779 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Feb 5 2020 19:32:12 UTC
13-Mar-2020 16:46:58.781 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.31.0
13-Mar-2020 16:46:58.784 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
13-Mar-2020 16:46:58.786 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            4.19.76-linuxkit
13-Mar-2020 16:46:58.792 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
13-Mar-2020 16:46:58.795 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /usr/local/openjdk-11
13-Mar-2020 16:46:58.796 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.6+10
13-Mar-2020 16:46:58.797 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Oracle Corporation
13-Mar-2020 16:46:58.799 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
13-Mar-2020 16:46:58.801 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
13-Mar-2020 16:46:58.848 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
13-Mar-2020 16:46:58.853 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
13-Mar-2020 16:46:58.855 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
13-Mar-2020 16:46:58.856 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
13-Mar-2020 16:46:58.859 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
13-Mar-2020 16:46:58.860 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
13-Mar-2020 16:46:58.861 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
13-Mar-2020 16:46:58.862 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
13-Mar-2020 16:46:58.863 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xms64m
13-Mar-2020 16:46:58.864 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Xmx512m
13-Mar-2020 16:46:58.866 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.security.egd=file:/dev/./urandom
13-Mar-2020 16:46:58.867 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
13-Mar-2020 16:46:58.868 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
13-Mar-2020 16:46:58.869 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
13-Mar-2020 16:46:58.871 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
13-Mar-2020 16:46:58.873 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.23] using APR version [1.6.5].
13-Mar-2020 16:46:58.874 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
13-Mar-2020 16:46:58.875 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
13-Mar-2020 16:46:58.897 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.1.1d  10 Sep 2019]
13-Mar-2020 16:47:00.133 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8888"]
13-Mar-2020 16:47:00.281 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [2,671] milliseconds
13-Mar-2020 16:47:00.458 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
13-Mar-2020 16:47:00.462 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.31]
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/usr/local/tomcat/lucee/lucee.jar) to method java.net.URLClassLoader.addURL(java.net.URL)
WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
13.03.2020 16:47:04,460 ERROR [server.application] application->no password set and no password file found at [/opt/lucee/server/lucee-server/context/password.txt]
13-Mar-2020 16:47:05.864 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8888"]
13-Mar-2020 16:47:05.913 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [5,627] milliseconds
andreasRu commented 4 years ago

Great!!! You are making progress!!! Now you only need to setup a password.txt file with a password for lucee admin inside tomcats lucee-server folder and you should be ready to go!

jamiejackson commented 4 years ago

Yup, that's just a stock image to keep things simple.

So is this already solved for the lucee-*-nginx images or is there still work to be done there?

Also, I'm wondering if the AJP option should be controlled a bit better in the image (maybe via an env var, e.g., TOMCAT_PROXY_PROTOCOL which does the grunt work for you). If not, then I'd suggest documenting it, or maybe starting a cookbook of container recipes.

I just hate to see anybody else spending cycles on things that other people have solved.

carehart commented 3 years ago

This issue remains in Feb 2021. I can confirm a couple of things:

As for solving things:

isapir commented 3 years ago

I didn't read the whole discussion, so pardon me if I missed something important, but RE:

all that said, it would seem the simplest solution would be for this to be corrected in the original Lucee image. Given what I've shared above, can anyone think why the connector xml line needs to enabled by default?

There is no reason, and it shouldn't be enabled.

If you look for example, in my project for creating Lucee Docker Images, it is commented out: https://github.com/isapir/lucee-docker/blob/master/resources/catalina-base/conf/server.xml#L116

justincarter commented 3 years ago

It's commented out now in the latest release (5.3.8.189)