<div dir="ltr"><div class="gmail-adn gmail-ads" style="border-left:none;padding:0px;display:flex;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div class="gmail-gs" style="margin:0px;padding:0px 0px 20px;width:766.4px"><div class="gmail-"><div id="gmail-:f8" class="gmail-ii gmail-gt" style="font-size:0.875rem;direction:ltr;margin:8px 0px 0px;padding:0px"><div id="gmail-:f7" class="gmail-a3s gmail-aXjCH" style="overflow:hidden;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:small;line-height:1.5;font-family:Arial,Helvetica,sans-serif">Package: tomcat8<br>Version: 8.5.54-0+deb9u1<br>Severity: grave<br><br>Dear Maintainer,<br><br>Last tomcat8 upgrade, fixing CVE-2020-1938, is breaking the functionalities of Tomcat AJP connector<br>in standard setup.<br>The updated tomcat8 version implements 'secretRequired' parameter in <Connector> tag for config file<br>/etc/tomcat8/server.xml (attached by reportbut) and the implicit default for 'secretRequired' is true.<br>The default value is not explicitly marked in the standard server.xml, nor documented there.<br><br>However, current apache2 package version 2.4.25-3+deb9u9 does not support secret in mod_proxy_ajp.<br>Hence, to get a working system using AJP, secretRequired has to be set to false in server.xml<br><br>Apache2 mod_proxy_ajp supports secret since version 2.5, backported to 2.4.42.<br><a href="https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html" rel="noreferrer" target="_blank">https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html</a><br><a href="https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html" rel="noreferrer" target="_blank">https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html</a><br><br>The solution is either to upgrade the apache2 package, or to have the default for 'secretRequired' set<br>to 'false', with some comments in the server.xml itself.<br>The standard configuration accepts AJP connections from localhost only, and/or iptables rules can<br>applied as well.<br><br>Adding relevant part of catalina.out to this bug report.<br><br>Thank you<br>Cheers<br>Gianluca Bonetti<br><br>-- System Information:<br>Debian Release: 9<br>Architecture: amd64<br> (x86_64)<br><br>Kernel: Linux 4.9.0-12-amd64 (SMP w/8 CPU cores)<br>Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)<br>Shell: /bin/sh linked to /bin/dash<br>Init: sysvinit (via /sbin/init)<br><br>Versions of packages tomcat8 depends on:<br>ii  adduser                3.115<br>ii  debconf [debconf-2.0]  1.5.61<br>ii  lsb-base               4.1+devuan2<br>ii  tomcat8-common         8.5.54-0+deb9u1<br>ii  ucf                    3.0036<br><br>Versions of packages tomcat8 recommends:<br>ii  authbind       2.1.2<br>ii  libtcnative-1  1.2.21-1~deb9u1<br><br>Versions of packages tomcat8 suggests:<br>pn  tomcat8-admin     <none><br>pn  tomcat8-docs      <none><br>pn  tomcat8-examples  <none><br>pn  tomcat8-user      <none><br><br>-- Configuration Files:<br>/etc/tomcat8/server.xml changed:<br><?xml version="1.0" encoding="UTF-8"?><br><!--<br>  Licensed to the Apache Software Foundation (ASF) under one or more<br>  contributor license agreements.  See the NOTICE file distributed with<br>  this work for additional information regarding copyright ownership.<br>  The ASF licenses this file to You under the Apache License, Version 2.0<br>  (the "License"); you may not use this file except in compliance with<br>  the License.  You may obtain a copy of the License at<br>      <a href="http://www.apache.org/licenses/LICENSE-2.0" rel="noreferrer" target="_blank">http://www.apache.org/licenses/LICENSE-2.0</a><br>  Unless required by applicable law or agreed to in writing, software<br>  distributed under the License is distributed on an "AS IS" BASIS,<br>  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.<br>  See the License for the specific language governing permissions and<br>  limitations under the License.<br>--><br><!-- Note:  A "Server" is not itself a "Container", so you may not<br>     define subcomponents such as "Valves" at this level.<br>     Documentation at /docs/config/server.html<br> --><br><Server port="8005" shutdown="SHUTDOWN"><br>  <Listener className="org.apache.catalina.startup.VersionLoggerListener" /><br>  <!-- Security listener. Documentation at /docs/config/listeners.html<br>  <Listener className="org.apache.catalina.security.SecurityListener" /><br>  --><br>  <!--APR library loader. Documentation at /docs/apr.html --><br>  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /><br>  <!-- Prevent memory leaks due to use of particular java/javax APIs--><br>  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /><br>  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /><br>  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /><br>  <!-- Global JNDI resources<br>       Documentation at /docs/jndi-resources-howto.html<br>  --><br>  <GlobalNamingResources><br>    <!-- Editable user database that can also be used by<br>         UserDatabaseRealm to authenticate users<br>    --><br>    <Resource name="UserDatabase" auth="Container"<br>              type="org.apache.catalina.UserDatabase"<br>              description="User database that can be updated and saved"<br>              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"<br>              pathname="conf/tomcat-users.xml" /><br>  </GlobalNamingResources><br>  <!-- A "Service" is a collection of one or more "Connectors" that share<br>       a single "Container" Note:  A "Service" is not itself a "Container",<br>       so you may not define subcomponents such as "Valves" at this level.<br>       Documentation at /docs/config/service.html<br>   --><br>  <Service name="Catalina"><br>    <!--The connectors can use a shared executor, you can define one or more named thread pools--><br>    <!--<br>    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"<br>        maxThreads="150" minSpareThreads="4"/><br>    --><br>    <!-- A "Connector" represents an endpoint by which requests are received<br>         and responses are returned. Documentation at :<br>         Java HTTP Connector: /docs/config/http.html<br>         Java AJP  Connector: /docs/config/ajp.html<br>         APR (HTTP/AJP) Connector: /docs/apr.html<br>         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080<br>    --><br>    <!--<br>    <Connector port="8080" protocol="HTTP/1.1"<br>               connectionTimeout="20000"<br>               redirectPort="8443" /><br>    --><br>    <!-- A "Connector" using the shared thread pool--><br>    <!--<br>    <Connector executor="tomcatThreadPool"<br>               port="8080" protocol="HTTP/1.1"<br>               connectionTimeout="20000"<br>               redirectPort="8443" /><br>    --><br>    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443<br>         This connector uses the NIO implementation. The default<br>         SSLImplementation will depend on the presence of the APR/native<br>         library and the useOpenSSL attribute of the<br>         AprLifecycleListener.<br>         Either JSSE or OpenSSL style configuration may be used regardless of<br>         the SSLImplementation selected. JSSE style configuration is used below.<br>    --><br>    <!--<br>    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"<br>               maxThreads="150" SSLEnabled="true"><br>        <SSLHostConfig><br>            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"<br>                         type="RSA" /><br>        </SSLHostConfig><br>    </Connector><br>    --><br>    <!-- Define an SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2<br>         This connector uses the APR/native implementation which always uses<br>         OpenSSL for TLS.<br>         Either JSSE or OpenSSL style configuration may be used. OpenSSL style<br>         configuration is used below.<br>    --><br>    <!--<br>    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"<br>               maxThreads="150" SSLEnabled="true" ><br>        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /><br>        <SSLHostConfig><br>            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"<br>                         certificateFile="conf/localhost-rsa-cert.pem"<br>                         certificateChainFile="conf/localhost-rsa-chain.pem"<br>                         type="RSA" /><br>        </SSLHostConfig><br>    </Connector><br>    --><br>    <!-- Define an AJP 1.3 Connector on port 8009 --><br>    <Connector protocol="AJP/1.3"<br>               secretRequired="false"<br>               address="127.0.0.1"<br>               port="8009"<br>               redirectPort="8443" /><br>    <!-- An Engine represents the entry point (within Catalina) that processes<br>         every request.  The Engine implementation for Tomcat stand alone<br>         analyzes the HTTP headers included with the request, and passes them<br>         on to the appropriate Host (virtual host).<br>         Documentation at /docs/config/engine.html --><br>    <!-- You should set jvmRoute to support load-balancing via AJP ie :<br>    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1"><br>    --><br>    <Engine name="Catalina" defaultHost="localhost"><br>      <!--For clustering, please take a look at documentation at:<br>          /docs/cluster-howto.html  (simple how to)<br>          /docs/config/cluster.html (reference documentation) --><br>      <!--<br>      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/><br>      --><br>      <!-- Use the LockOutRealm to prevent attempts to guess user passwords<br>           via a brute-force attack --><br>      <Realm className="org.apache.catalina.realm.LockOutRealm"><br>        <!-- This Realm uses the UserDatabase configured in the global JNDI<br>             resources under the key "UserDatabase".  Any edits<br>             that are performed against this UserDatabase are immediately<br>             available for use by the Realm.  --><br>        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"<br>               resourceName="UserDatabase"/><br>      </Realm><br>      <Host name="localhost"  appBase="webapps"<br>            unpackWARs="true" autoDeploy="true"><br>        <!-- SingleSignOn valve, share authentication between web applications<br>             Documentation at: /docs/config/valve.html --><br>        <!--<br>        <Valve className="org.apache.catalina.authenticator.SingleSignOn" /><br>        --><br>        <!-- Access log processes all example.<br>             Documentation at: /docs/config/valve.html<br>             Note: The pattern used is equivalent to using pattern="common" --><br>        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"<br>               prefix="localhost_access_log" suffix=".txt"<br>               pattern="%h %l %u %t &quot;%r&quot; %s %b" /><br>      </Host><br>    </Engine><br>  </Service><br></Server><br><br><br>-- debconf information:<br>  tomcat8/username: tomcat8<br>  tomcat8/javaopts: -Djava.awt.headless=true -Xms8g -Xmx8g -XX:+UseG1GC -Dserver=1 -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n<br>  tomcat8/groupname: tomcat8<br><br><br>-- catalina.out:<br>04-May-2020 19:49:31.629 GRAVE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]]<br>        org.apache.catalina.LifecycleException: Protocol handler start failed<br>                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1086)<br>                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<br>                at org.apache.catalina.core.StandardService.startInternal(StandardService.java:440)<br>                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<br>                at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:766)<br>                at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)<br>                at org.apache.catalina.startup.Catalina.start(Catalina.java:688)<br>                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)<br>                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)<br>                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)<br>                at java.lang.reflect.Method.invoke(Method.java:498)<br>                at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)<br>                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)<br>        Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.<br>                at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:274)<br>                at org.apache.catalina.connector.Connector.startInternal(Connector.java:1083)<br>                ... 12 more<br>04-May-2020 19:49:31.630 INFORMAZIONI [main] org.apache.catalina.startup.Catalina.start Server startup in 6947 ms<div class="gmail-yj6qo"></div><div class="gmail-adL"><br></div></div></div><div class="gmail-hi" style="border-bottom-left-radius:1px;border-bottom-right-radius:1px;padding:0px;width:auto;background:rgb(242,242,242);margin:0px"></div></div></div><div class="gmail-ajx" style="clear:both"><br></div></div></div>