Ubuntu
apache2 package

"secret" parameter not available in mod_proxy_ajp on focal

Bug #1865340 reported by Thomas
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Fix Released
High
Andreas Hasenack

Bug Description

AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat).

Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via

ProxyPass / ajp://localhost:8009/ secret=secretkey

the following error appears in the service log:

ProxyPass unknown Worker parameter

Workaround:

Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this might cause security issues. Access to port 8009 *must* be restricted by other means, e.g. by a firewall or by 'address="127.0.0.1"' in the Connector (obviously this always has been a good idea).

Proposed fix:

Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.

See original description

Related branches

~ahasenack/ubuntu/+source/apache2:focal-apache2-ajp-secret
Christian Ehrhardt  (community): Approve
Thomas (community): Approve (test)
Canonical Server: Pending requested
Diff: 259 lines (+231/-0)
4 files modified
debian/changelog (+7/-0)
debian/patches/mod_proxy_ajp-secret-parameter-doc.patch (+32/-0)
debian/patches/mod_proxy_ajp-secret-parameter.patch (+190/-0)
debian/patches/series (+2/-0)

CVE References

Thomas (lostexception)
tags: added: focal
summary: - "secret" parameter not available in mod_proxy_ajp
+ "secret" parameter not available in mod_proxy_ajp on focal
Thomas (lostexception)
description: updated
Thomas (lostexception)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html seems to indicate "secret" will be available in 2.4.42:

?secret 0x0C String Supported since 2.4.42

From https://bugzilla.redhat.com/show_bug.cgi?id=1397241, looks like redhat has had "secret" support for quite a while. That bug report links to this changeset:

https://svn.apache.org/viewvc?view=revision&revision=1738878

Looks like this is the 2.4.42 commit:
https://github.com/apache/httpd/commit/d8b6d798c177dfdb90cef1a29395afcc043f3c86

With a follow-up doc update:
https://github.com/apache/httpd/commit/4de7604dd086c7bebdcab4ae9dbbec24b59edabc

I grabbed the above from the 2.4.x branch

Changed in apache2 (Ubuntu):
status: New → Triaged
importance: Undecided → High
tags: added: server-next
Andreas Hasenack (ahasenack)
Changed in apache2 (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
Thomas (lostexception)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apache2 - 2.4.41-4ubuntu2

---------------
apache2 (2.4.41-4ubuntu2) focal; urgency=medium

  * d/p/mod_proxy_ajp-secret-parameter*.patch: add new "secret"
    parameter to mod_proxy_ajp (LP: #1865340)

 -- Andreas Hasenack <email address hidden> Thu, 05 Mar 2020 15:51:00 -0300

Changed in apache2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.