Focus on cloud service provider activities
Notes on website operation and maintenance

About the image and upgrade methods involved in the Apache Tomcat security issue

A few days ago, we netizens should have received a background security reminder from the host company about Apache Tomcat For the existing security problems, if we have several images in use and involve them, we need to complete the upgrade patch in time to ensure the security of the server's WEB system. The main principle problem is that the Tomcat AJP protocol has an implementation flaw that leads to controllable parameters. An attacker can use this flaw to read arbitrary files under the server webapp by constructing specific parameters.

 About the image and upgrade methods involved in the Apache Tomcat security issue

First, the image version environment involved

Tomcat 6.X
Tomcat 7.X<7.0.100
Tomcat 8.x<8.5.51
Tomcat 9.x<9.0.31

According to the feedback, we can see that most major Tomcat versions are involved.

Second, security upgrade solution

No matter what method we are using, we need to back up the server. If we have a server that supports snapshot backup, we will do snapshot backup to prevent accidents.

A - If Tomcat AJP protocol is not used

If Tomcat AJP protocol is not used, Tomcat can be directly upgraded to version 9.0.31, 8.5.51 or 7.0.100 for vulnerability repair.
If the version cannot be updated immediately, or if the user is an older version, it is recommended to close the AJP Connector directly, or change its listening address to only listen to the local localhost.

1. Edit<CATALINA_BASE>/conf/server.xml and find the following line (<CATALINA_BASE>is the working directory of Tomcat):

<Connector port="8009"protocol="AJP/1.3" redirectPort="8443" />

2. Comment out this line (or delete it):

<!--< Connectorport="8009" protocol="AJP/1.3"redirectPort="8443" />-->

3. After saving, you need to restart Tomcat for the rules to take effect.

B - If Tomcat AJP protocol is used

It is recommended to upgrade Tomcat to version 9.0.31, 8.5.51, or 7.0.100 for repair immediately, and configure secret for the AJP connector to set the authentication certificate of the AJP protocol. For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value with high security and cannot be easily guessed):

<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS" secret="YOUR_TOMCAT_AJP_SECRET"/>

If the version cannot be updated immediately, or if the user is an older version, it is recommended to configure requiredSecret for the AJP Connector to set the AJP protocol authentication certificate. For example (note that YOUR_TOMCAT_AJP_SECRET must be changed to a value with high security and cannot be easily guessed):

<Connector port="8009"protocol="AJP/1.3" redirectPort="8443"address="YOUR_TOMCAT_IP_ADDRESS"requiredSecret="YOUR_TOMCAT_AJP_SECRET" />

At the same time, if our server has a security group, we can set or limit the ports that are not used by us. This is not a big problem for the project of strictly controlling ports, because we will open several ports we need.

reference: https://www.cnvd.org.cn/webinfo/show/5415

Domain name host preferential information push QQ group: six hundred and twenty-seven million seven hundred and seventy-five thousand four hundred and seventy-seven Get preferential promotion from merchants.
Like( zero )
Do not reprint without permission: Lao Zuo's Notes » About the image and upgrade methods involved in the Apache Tomcat security issue


Scan the code to follow the official account

Get more news about webmaster circle!
Entrepreneurship, operation and new knowledge