AJP secret is mandatory for the latest Tomcat releases since CVE-2020-1938: Ghostcat

[zspitzer]

mod_cfml already uses a secret, the tomcat AJP connector should too

secret | Only requests from workers with this secret keyword will be accepted. The default value is null. This attrbute must be specified with a non-null, non-zero length value unless secretRequired is explicitly configured to be false.

secretRequired | If this attribute is true, the AJP Connector will only start if the secret attribute is configured with a non-null, non-zero length value. The default value is true. This attributue should only be set to false when the Connector is used on a trusted network.

https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487

[zspitzer]

unfortunately, the Apache httpd connector doesn't support this option yet and mod_cfml isn't even available for the latest versions of Apache

https://bz.apache.org/bugzilla/show_bug.cgi?id=53098

[Bilal-S]

Zac, as you implicitly note, Apache httpd connectors are maintained by Apache so nothing Lucee would be able to do except wait. In my opinion, given the amount of work with all the connector permutations, this is unlikely candidate to get done anytime soon.

Implementation wise it would probably be better to only have the secret parameter itself. If present it should be required for the connection?.

You might want to see whether there are volunteers to make the changes to mod_cfml to support latest Apache. For example, Paul (@paulklinkenberg) implemented the secret option for mod_cfml.

[paulklinkenberg]

The mentioned vulnerability depends on an open AJP port on a webserver. (by default tcp:8009) In how many cases would that be true? The best mitigation: use a firewall to block all non 80/443 requests (okay, also keep 22 or 3389 open)

Also, mod_cfml does not use any of the (apache) proxy options itself; it instead just assumes a proxy to tomcat is being done later on in the process.

So, no need to do anything with modcfml here. Except maybe update the config manual: “don’t forget to activate a firewall in front of your webserver”.

As a side note, “mod_cfml isn't even available for the latest versions of Apache” does suck. We did have a contributor for that, but those builds did not work on my test machine, and are not published yet I think.

[zspitzer]

problem is with the latest tomcat releases, the secret is now mandatory

A backport has been requested for the Apache 2.4 mod_proxy_ajp from 2.5 http://apache-http-server.18135.x6.nabble.com/mod-proxy-ajp-backport-for-quot-secret-quot-attribute-to-2-4-x-td5051649.html

[utdream]

@zspitzer That's an installer update, and looks like @Bilal-S already has support for it in the BonCode Connector. I will work on this today. Thanks to all of you. =)

[zspitzer]

Apache 2.4.42 will support secrets

[utdream]

Ghostcat patched installers are up on http://lucee.viviotech.net/. Would appreciate your thoughts on them if you have a moment...

[paulklinkenberg]

Re. my previous comment: I completely overlooked the fact we’re in the “lucee-installers” repo here! I read “modcfml”, and was talking to @Bilal-S and @utdream , the modcfml dream team, so safely expected we were in the modcfml repo here. Now it does make sense to me, to apply changes for this vuln ;) Thanks @utdream!

[zspitzer]

FYI you can configure secretRequired=false, but if you also define a secret, Lucee/Tomcat won't start https://bz.apache.org/bugzilla/show_bug.cgi?id=64180

[utdream]

As of Lucee 5.3.4.077 pl1, AJP connector "secret=[random]" and "secretRequired=true" are now configured by default in the installers.