Tomcat 9.0.x AJP vulnerability

Questions and Answers on installation, deployment, management, locking, tranasactions of Servoy Application Server

Tomcat 9.0.x AJP vulnerability

Postby lwjwillemsen » Thu Feb 27, 2020 5:35 pm

Hi,

There is a Tomcat AJP protocol vulnerability published.
https://advisories.ncsc.nl/advisory?id=NCSC-2020-0146
https://www.security.nl/posting/645362/Honderden+Nederlandse+servers+kwetsbaar+door+Tomcat-lek
(Only Dutch url's :( )

Question: Is the AJP protocol used somewhere / mandatory for Servoy 2019 operation on Tomcat?

Regards,
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 680
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands

Re: Tomcat 9.0.x AJP vulnerability

Postby ROCLASI » Thu Feb 27, 2020 6:57 pm

Hi Lambert

It's only used when you use a proxy server in front of your Tomcat server.
But even then, you don't have to use the AJP protocol. You can use the HTTP protocol, which is not vulnerable.

Edit: I guess you do need to disable the AJP connector on your tomcat instance though. You can do this in the /conf/server.xml.

Hope this helps.
Robert Ivens
SAN Developer / Servoy Valued Professional / Servoy Certified Developer

ROCLASI Software Solutions / JBS Group, Partner
Mastodon: @roclasi
--
ServoyForge - Building Open Source Software.
PostgreSQL - The world's most advanced open source database.
User avatar
ROCLASI
Servoy Expert
 
Posts: 5438
Joined: Thu Oct 02, 2003 9:49 am
Location: Netherlands/Belgium

Re: Tomcat 9.0.x AJP vulnerability

Postby lwjwillemsen » Thu Feb 27, 2020 8:02 pm

Thanks Robert!

I was on that track but wanted to be sure, thanks again.

Regards,
Lambert Willemsen
Vision Development BV
lwjwillemsen
 
Posts: 680
Joined: Sat Mar 14, 2009 5:39 pm
Location: The Netherlands


Return to Servoy Server

Who is online

Users browsing this forum: No registered users and 7 guests