Servoy Forum

Discuss Servoy here!
https://forum.servoy.com/

Tomcat 9.0.x AJP vulnerability

https://forum.servoy.com/viewtopic.php?f=5&t=22720

Page 1 of 1

Tomcat 9.0.x AJP vulnerability

PostPosted: Thu Feb 27, 2020 5:35 pm
by lwjwillemsen
Hi,

There is a Tomcat AJP protocol vulnerability published.
https://advisories.ncsc.nl/advisory?id=NCSC-2020-0146
https://www.security.nl/posting/645362/Honderden+Nederlandse+servers+kwetsbaar+door+Tomcat-lek
(Only Dutch url's :( )

Question: Is the AJP protocol used somewhere / mandatory for Servoy 2019 operation on Tomcat?

Regards,

Re: Tomcat 9.0.x AJP vulnerability

PostPosted: Thu Feb 27, 2020 6:57 pm
by ROCLASI
Hi Lambert

It's only used when you use a proxy server in front of your Tomcat server.
But even then, you don't have to use the AJP protocol. You can use the HTTP protocol, which is not vulnerable.

Edit: I guess you do need to disable the AJP connector on your tomcat instance though. You can do this in the /conf/server.xml.

Hope this helps.

Re: Tomcat 9.0.x AJP vulnerability

PostPosted: Thu Feb 27, 2020 8:02 pm
by lwjwillemsen
Thanks Robert!

I was on that track but wanted to be sure, thanks again.

Regards,
All times are UTC + 1 hour [ DST ]
Page 1 of 1