Closed zspitzer closed 4 years ago
unfortunately, the Apache httpd connector doesn't support this option yet and mod_cfml isn't even available for the latest versions of Apache
Zac, as you implicitly note, Apache httpd connectors are maintained by Apache so nothing Lucee would be able to do except wait. In my opinion, given the amount of work with all the connector permutations, this is unlikely candidate to get done anytime soon.
Implementation wise it would probably be better to only have the secret parameter itself. If present it should be required for the connection?.
You might want to see whether there are volunteers to make the changes to mod_cfml to support latest Apache. For example, Paul (@paulklinkenberg) implemented the secret
option for mod_cfml.
The mentioned vulnerability depends on an open AJP port on a webserver. (by default tcp:8009) In how many cases would that be true? The best mitigation: use a firewall to block all non 80/443 requests (okay, also keep 22 or 3389 open)
Also, mod_cfml does not use any of the (apache) proxy options itself; it instead just assumes a proxy to tomcat is being done later on in the process.
So, no need to do anything with modcfml here. Except maybe update the config manual: “don’t forget to activate a firewall in front of your webserver”.
As a side note, “mod_cfml isn't even available for the latest versions of Apache” does suck. We did have a contributor for that, but those builds did not work on my test machine, and are not published yet I think.
problem is with the latest tomcat releases, the secret is now mandatory
A backport has been requested for the Apache 2.4 mod_proxy_ajp from 2.5 http://apache-http-server.18135.x6.nabble.com/mod-proxy-ajp-backport-for-quot-secret-quot-attribute-to-2-4-x-td5051649.html
@zspitzer That's an installer update, and looks like @Bilal-S already has support for it in the BonCode Connector. I will work on this today. Thanks to all of you. =)
Apache 2.4.42 will support secrets
Ghostcat patched installers are up on http://lucee.viviotech.net/. Would appreciate your thoughts on them if you have a moment...
Re. my previous comment: I completely overlooked the fact we’re in the “lucee-installers” repo here! I read “modcfml”, and was talking to @Bilal-S and @utdream , the modcfml dream team, so safely expected we were in the modcfml repo here. Now it does make sense to me, to apply changes for this vuln ;) Thanks @utdream!
FYI you can configure secretRequired=false, but if you also define a secret, Lucee/Tomcat won't start https://bz.apache.org/bugzilla/show_bug.cgi?id=64180
As of Lucee 5.3.4.077 pl1, AJP connector "secret=[random]" and "secretRequired=true" are now configured by default in the installers.
mod_cfml already uses a secret, the tomcat AJP connector should too
https://www.tenable.com/blog/cve-2020-1938-ghostcat-apache-tomcat-ajp-file-readinclusion-vulnerability-cnvd-2020-10487