Re: [uportal-dev] GhostCat High Risk Vulnerability

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-dev] GhostCat High Risk Vulnerability

Benito J. Gonzalez-2
https://github.com/Jasig/uPortal-start/pull/410

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg




On Mar 3, 2020, at 3:01 PM, Benito J. Gonzalez <[hidden email]> wrote:

Hi folks,


This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.

Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg





--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/10DD0CCF-B27D-4698-A9BA-5C6CF4115269%40unicon.net.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/D283315C-5227-4A8E-A542-0988AE0940DC%40unicon.net.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-dev] GhostCat High Risk Vulnerability

Jackson, Allan

Since pulling in this update, I’m getting the following error on server startup:

SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]]

Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.

 

 

It looks like secretRequired defaults to true now, but since we aren’t including a secret, the AJP connector just fails to start. I don’t know much about AJP…does uPortal use it at all? Should it just be disabled in the default config, or should a secret value be added for it?

 

Allan

 

From: <[hidden email]> on behalf of "Benito J. Gonzalez" <[hidden email]>
Date: Tuesday, March 3, 2020 at 7:49 PM
To: uPortal Developers <[hidden email]>
Subject: Re: [uportal-dev] GhostCat High Risk Vulnerability

 

https://github.com/Jasig/uPortal-start/pull/410

 

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg




On Mar 3, 2020, at 3:01 PM, Benito J. Gonzalez <[hidden email]> wrote:

 

Hi folks,

 

 

This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.

 

Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!

 

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg


 

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/10DD0CCF-B27D-4698-A9BA-5C6CF4115269%40unicon.net.

 

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/D283315C-5227-4A8E-A542-0988AE0940DC%40unicon.net.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/BF5E4775-8FAD-4413-B1C5-5CC561E09688%40ku.edu.
Reply | Threaded
Open this post in threaded view
|

Re: [uportal-dev] GhostCat High Risk Vulnerability

Benito J. Gonzalez-2
Hi Allan,

AJP is used in some installations when Apache or a load balancer that supports that protocol are required.

That all said, most installs will not use it. I will update uPortal-start to disable that.

Have a great day!

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg




On Mar 10, 2020, at 10:10 AM, Jackson, Allan <[hidden email]> wrote:

Since pulling in this update, I’m getting the following error on server startup:
SEVERE [main] org.apache.catalina.core.StandardService.startInternal Failed to start connector [Connector[AJP/1.3-8009]]
Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
 
 
It looks like secretRequired defaults to true now, but since we aren’t including a secret, the AJP connector just fails to start. I don’t know much about AJP…does uPortal use it at all? Should it just be disabled in the default config, or should a secret value be added for it?
 
Allan
 
From: <[hidden email]> on behalf of "Benito J. Gonzalez" <[hidden email]>
Date: Tuesday, March 3, 2020 at 7:49 PM
To: uPortal Developers <[hidden email]>
Subject: Re: [uportal-dev] GhostCat High Risk Vulnerability
 
 

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg




On Mar 3, 2020, at 3:01 PM, Benito J. Gonzalez <[hidden email]> wrote:
 
Hi folks, 
 
 
This issue can be mitigated by using your server firewall rules to restrict access to the AJP port. This port should only be used by a local Apache HTTPD service or a load balancer. Unless your load balancer is using AJP, this port should be locked down from outside the loopback devices. In the load balancer case, lock down access to just your load balancer.
 
Please have your Operations Team upgrade Tomcat as soon as feasible. For uPortal 5, the tomcat version is kept in gradle.properties. After updating the version, running `./gradlew tomcatInstall` will setup the new version locally. Make sure to back up PORTAL_HOME files before running this command!
 

Benito J. Gonzalez
Senior Software Developer
Unicon, Inc.
Voice:  209.777.2754
 Text:  209.777.2754
[hidden email]
GitHub:  bjagg
BitBucket:  bjagg


 
 
-- 
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/10DD0CCF-B27D-4698-A9BA-5C6CF4115269%40unicon.net.
 
-- 
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/D283315C-5227-4A8E-A542-0988AE0940DC%40unicon.net.


-- 
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/BF5E4775-8FAD-4413-B1C5-5CC561E09688%40ku.edu.

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/4128D40A-C7A0-4619-A35B-19FB394051C3%40unicon.net.