-
Notifications
You must be signed in to change notification settings - Fork 40.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The AJP Connector is configured with secretRequired=“true” but the secret attribute is either null or “” after upgrade to 2.2.5 #20377
Comments
This is due to a change in Tomcat's default behaviour to address the CVE. When enabling AJP, you now also need to configure a secret (recommended) or disable the need for one (to be done with caution). Either can be achieved using a @Bean
public TomcatConnectorCustomizer ajpSecretCustomizer() {
return (connector) -> ((AbstractAjpProtocol<?>) connector.getProtocolHandler()).setSecret("your-secret");
} The latter can be achieved by replacing the call to |
@wilkinsona i replaced the setSecret(String) to setSecretRequired(false) with detail below
but still seeing the same error. |
@wilkinsona got it working thank you for the response. |
Am I correct that |
Looks like since the issue appeared after upgrade..! |
@skrzyneckik Yes, that's correct. That's why I said above that calling |
Application fails to start with the below error. This happened after the upgrade from 2.1.9 to 2.2.5 and had to do this to avoid the Ghostcat vulnerability .
Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid. at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264) at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035) ... 22 common frames omitted
reference : https://dev.lucee.org/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/4
The text was updated successfully, but these errors were encountered: