Ubuntu
apache2 package

  1. Bug #1865340
  2. Comment #0

Comment 0 for bug 1865340

Revision history for this message
Thomas (lostexception) wrote : "secret" parameter not available in mod_proxy_ajp

AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.

Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via

ProxyPass / ajp://localhost:8009/ secret="secret_key"

the following error appears in the service log:

ProxyPass unknown Worker parameter

Workaround:

Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this *might* cause security issues.

Proposed fix:

Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.