GhostCat High Risk Vulnerability

This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.

Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!

Since pulling in this update, I’m getting the following error on server startup:

SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]]

…

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

 

 

It looks like secretRequired defaults to true now, but since we aren’t including a secret, the AJP connector just fails to start. I don’t know much about AJP…does uPortal use it at all? Should it just be disabled in the default config, or should a secret value be added for it?

 

Allan

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/D283315C-5227-4A8E-A542-0988AE0940DC%40unicon.net.

AJP is used in some installations when Apache or a load balancer that supports that protocol are required.

That all said, most installs will not use it. I will update uPortal-start to disable that.

Have a great day!