AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
Use 'secretRequired="false"' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this *might* cause security issues.
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.
AJP needs a "secret" parameter on focal since tomcat9 9.0.31-1. Likely CVE-2020-1938 (Ghostcat) is the reason for this.
Unfortunately, in Apache 2.4 this parameter is not available yet in the stable version 2.4.41 (currently only in the development branch 2.5). When setting the "secret" parameter via
ProxyPass / ajp://localhost :8009/ secret="secret_key"
the following error appears in the service log:
ProxyPass unknown Worker parameter
Workaround:
Use 'secretRequired ="false" ' in the "<Connector >" line on the tomcat side. Caution: This workaround weakens security in relation to CVE-2020-1938, so this *might* cause security issues.
Proposed fix:
Port the "secret" parameter in mod_proxy_ajp back to Apache 2.4, advise users to create a reasonable secret.