[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-714) support secret="secret" in AJP nodes
Jean-Frederic Clere (Jira)
issues at jboss.org
Tue Mar 17 09:16:45 EDT 2020
[ https://issues.redhat.com/browse/MODCLUSTER-714?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14000854#comment-14000854 ]
Jean-Frederic Clere commented on MODCLUSTER-714:
------------------------------------------------
AJPSecret - secret for all mod_cluster node, not configued no secret.
Add in httpd.conf something like:
AJPSecret YOUR_TOMCAT_AJP_SECRET
> support secret="secret" in AJP nodes
> ------------------------------------
>
> Key: MODCLUSTER-714
> URL: https://issues.redhat.com/browse/MODCLUSTER-714
> Project: mod_cluster
> Issue Type: Bug
> Reporter: Jean-Frederic Clere
> Assignee: Jean-Frederic Clere
> Priority: Major
>
> The CVE-2020-1938 "mitigation" forces the use of a secret between httpd and the back-end.
> <Connector port = "8009"
> protocol = "AJP / 1.3"
> redirectPort = "8443"
> address = "YOUR_TOMCAT_IP_ADDRESS"
> requiredSecret = "YOUR_TOMCAT_AJP_SECRET" />
> Actually secret="secret" is support in mod_proxy_ajp but not in mod_cluster.
> That prevents use using the mitigation.
--
This message was sent by Atlassian Jira
(v7.13.8#713008)
More information about the mod_cluster-issues
mailing list