"secret" parameter not available in mod_proxy_ajp on focal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| apache2 (Ubuntu) |
High
|
Andreas Hasenack |
Bug Description
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely this change was triggered by CVE-2020-1938 (Ghostcat).
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.
Related branches
- Christian Ehrhardt : Approve on 2020-03-06
- Thomas (community): Approve (test) on 2020-03-06
- Canonical Server Team: Pending requested 2020-03-05
-
Diff: 259 lines (+231/-0)4 files modifieddebian/changelog (+7/-0)
debian/patches/mod_proxy_ajp-secret-parameter-doc.patch (+32/-0)
debian/patches/mod_proxy_ajp-secret-parameter.patch (+190/-0)
debian/patches/series (+2/-0)
CVE References
tags: | added: focal |
summary: |
- "secret" parameter not available in mod_proxy_ajp + "secret" parameter not available in mod_proxy_ajp on focal |
description: | updated |
description: | updated |
Andreas Hasenack (ahasenack) wrote : | #1 |
Changed in apache2 (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: server-next |
Changed in apache2 (Ubuntu): | |
status: | Triaged → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
Launchpad Janitor (janitor) wrote : | #2 |
This bug was fixed in the package apache2 - 2.4.41-4ubuntu2
---------------
apache2 (2.4.41-4ubuntu2) focal; urgency=medium
* d/p/mod_
parameter to mod_proxy_ajp (LP: #1865340)
-- Andreas Hasenack <email address hidden> Thu, 05 Mar 2020 15:51:00 -0300
Changed in apache2 (Ubuntu): | |
status: | In Progress → Fix Released |
https:/ /httpd. apache. org/docs/ 2.4/mod/ mod_proxy_ ajp.html seems to indicate "secret" will be available in 2.4.42:
?secret 0x0C String Supported since 2.4.42
From https:/ /bugzilla. redhat. com/show_ bug.cgi? id=1397241, looks like redhat has had "secret" support for quite a while. That bug report links to this changeset:
https:/ /svn.apache. org/viewvc? view=revision& revision= 1738878
Looks like this is the 2.4.42 commit: /github. com/apache/ httpd/commit/ d8b6d798c177dfd b90cef1a29395af cc043f3c86
https:/
With a follow-up doc update: /github. com/apache/ httpd/commit/ 4de7604dd086c7b ebdcab4ae9dbbec 24b59edabc
https:/
I grabbed the above from the 2.4.x branch