Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The AJP Connector is configured with secretRequired=“true” but the secret attribute is either null or “” after upgrade to 2.2.5 #20377

Closed
manjunathkadrolli opened this issue Mar 3, 2020 · 6 comments
Closed

The AJP Connector is configured with secretRequired=“true” but the secret attribute is either null or “” after upgrade to 2.2.5 #20377

manjunathkadrolli opened this issue Mar 3, 2020 · 6 comments
Labels
status: invalid An issue that we don't feel is valid

Comments

@manjunathkadrolli
Copy link

Application fails to start with the below error. This happened after the upgrade from 2.1.9 to 2.2.5 and had to do this to avoid the Ghostcat vulnerability .

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) ... 22 common frames omitted

reference : https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/4
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 3, 2020
@wilkinsona
Copy link
Member

wilkinsona commented Mar 3, 2020
edited

This is due to a change in Tomcat's default behaviour to address the CVE. When enabling AJP, you now also need to configure a secret (recommended) or disable the need for one (to be done with caution). Either can be achieved using a TomcatConnectorCustomizer. Here's an example of configuring the former:

@Bean
public TomcatConnectorCustomizer ajpSecretCustomizer() {
    return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecret("your-secret");
}

The latter can be achieved by replacing the call to setSecret(String) with a call to setSecretRequired(false).

@wilkinsona wilkinsona added status: invalid An issue that we don't feel is valid and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 3, 2020
@manjunathkadrolli
Copy link
Author

manjunathkadrolli commented Mar 3, 2020
edited

@wilkinsona i replaced the setSecret(String) to setSecretRequired(false) with detail below

@Bean
	public TomcatConnectorCustomizer ajpSecretCustomizer() {
	    return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecretRequired(false);
	}

but still seeing the same error.

@manjunathkadrolli
Copy link
Author

@wilkinsona got it working thank you for the response.

@skrzyneckik
Copy link

Am I correct that secretRequired is true by default to target Ghostcat vulnerability and setSecretRequired(false) actually reenable this vulnerability? I think it's worth pointing it out

@manjunathkadrolli
Copy link
Author

Looks like since the issue appeared after upgrade..!

@wilkinsona
Copy link
Member

wilkinsona commented Apr 24, 2020
edited

@skrzyneckik Yes, that's correct. That's why I said above that calling setSecretRequired(false) is to be done with caution. As with most things related to configuring Tomcat, reading Tomcat's own documentation, where you can find some guidance on configuring AJP, is recommended.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: invalid An issue that we don't feel is valid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@wilkinsona @skrzyneckik @manjunathkadrolli @spring-projects-issues