[JBoss JIRA] (MODCLUSTER-714) support secret="secret" in AJP nodes

Thursday, 9 April 2020

     [
https://issues.redhat.com/browse/MODCLUSTER-714?page=com.atlassian.jira.p...
]

Radoslav Husar updated MODCLUSTER-714:
--------------------------------------
        Status: Resolved  (was: Pull Request Sent)
    Resolution: Done

[~jfclere] PR was merged, should this be resolved or does it need anything on the Java
side?

...
 support secret="secret" in AJP nodes
 ------------------------------------

                 Key: MODCLUSTER-714
                 URL: https://issues.redhat.com/browse/MODCLUSTER-714
             Project: mod_cluster
          Issue Type: Bug
          Components: Native (httpd modules)
            Reporter: Jean-Frederic Clere
            Assignee: Jean-Frederic Clere
            Priority: Major

 The CVE-2020-1938 "mitigation" forces the use of a secret between httpd and the
back-end.
 <Connector port = "8009"
     protocol = "AJP / 1.3"
     redirectPort = "8443"
     address = "YOUR_TOMCAT_IP_ADDRESS" 
     requiredSecret = "YOUR_TOMCAT_AJP_SECRET" />
 Actually secret="secret" is support in mod_proxy_ajp but not in mod_cluster.
 That prevents use using the mitigation. 

--
This message was sent by Atlassian Jira
(v7.13.8#713008)

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009