A few days ago, we netizens should have received a background security reminder from the host company about the security problems of Apache Tomcat. If we have several images in use and involve them, we need to complete an upgrade patch in time to ensure the security of the server's WEB system. The main principle problem is that the Tomcat AJP protocol has an implementation flaw that leads to controllable parameters. An attacker can use this flaw to read arbitrary files under the server webapp by constructing specific parameters.
First, the image version environment involved
Tomcat 6.X
Tomcat 7.X<7.0.100
Tomcat 8.x<8.5.51
Tomcat 9.x<9.0.31
According to the feedback, we can see that most major Tomcat versions are involved.
Second, security upgrade solution
No matter what method we are using, we need to back up the server. If we have a server that supports snapshot backup, we will do snapshot backup to prevent accidents.
A - If Tomcat AJP protocol is not used
If Tomcat AJP protocol is not used, Tomcat can be directly upgraded to version 9.0.31, 8.5.51 or 7.0.100 for vulnerability repair.
If the version cannot be updated immediately, or if the user is an older version, it is recommended to close the AJP Connector directly, or change its listening address to only listen to the local localhost.
1. Edit<CATALINA_BASE>/conf/server.xml and find the following line (<CATALINA_BASE>is the working directory of Tomcat):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443" />
2. Comment out this line (or delete it):
<!--< Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" />-->
3. After saving, you need to restart Tomcat for the rules to take effect.
B - If Tomcat AJP protocol is used
It is recommended to upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100 for repair immediately, and configure secret for the AJP connector to set the authentication certificate of the AJP protocol. For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value with high security and cannot be easily guessed):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>
If the version cannot be updated immediately, or if the user is an older version, it is recommended to configure requiredSecret for the AJP Connector to set the AJP protocol authentication certificate. For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value with high security and cannot be easily guessed):
<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS"requiredSecret="YOUR_TOMCAT_AJP_SECRET" />
At the same time, if our server has a security group, we can set or limit the ports that are not used by us. This is not a big problem for the project of strictly controlling ports, because we will open several ports we need.
reference: https://www.cnvd.org.cn/webinfo/show/5415
Scan the code to follow the official account
Get more news about webmaster circle!
Entrepreneurship, operation and new knowledge