In JBoss EAP 7.2 Update 8+ or after applying the One off Patch to EAP 7.2 Update 7 / EAP 7.3, the vulnerability is fixed and custom AJP request attributes are blocked by default. The AJP connector is enabled by default only in standalone-full-ha.xml, standalone-ha.xml and full-ha, ha profiles in domain.xml. See also this knowledge article about adding system properties: If AJP connector is a requirement and cannot be commented or deactivated, then, it is recommended to add credential to AJP connector by configuring the following system property. If you do not use AJP, you can disable the AJP port configuration in your standalone-*.xml and/or domain.xml file by setting enabled="false" as shown below or comment out the whole clause: If using custom AJP and request attributes, see How to allow custom AJP request attributes after applying the CVE-2020-1938 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 6.4 Update 23+ or with the Security Patch applied to top of Update 22, as they will not be allowed by default after the CVE fix. In JBoss EAP 6.4 Update 23+ or after applying the One off Patch to EAP 6.4 Update 22, the vulnerability is fixed and custom AJP request attributes are blocked by default. At the EAP 5.2 side, edit /server/$PROFILE/deploy/jbossweb.sar/server.xml: If AJP connector is required and cannot be commented/deactivated, then we recommend to set a secret password for the AJP conduit - Only requests from workers with the same secret keyword will be accepted. If your site is not using the AJP Connector, disable it by commenting it out from the /server/$PROFILE/deploy/jbossweb.sar/server.xml file as: -> Hence they are not affected by this vulnerability.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |