0

I joined a project recently and the work is on Spring boot application. The application is already in place and I found that they have some tool (similar to SONARQube) which runs during deployment to assess security issues. I found a set of issues on Apache tomcat with the listed description

"Apache Tomcat is vulnerable to information disclosure due to Apache JServ Protocol (AJP) connections being given higher privileges than that of an equivalent HTTP client"

The Springboot version that we are using is 2.2.3

Please Help!

My efforts were as here below

I found that AJP has more previleges in Tomcat versions till 9.0.30 Apache people have tightened the leak in 9.0.31 and later versions.. But they claim that user would have to do few more configurations, and following are my issues here 0. I tried having tomcat 9.0.31 as a separate dependency in the pom file, but still, the fortify security app gives the same issue; So not sure what configurations to be done 1. point 0 said, I am unable to find what are those configurations that I need to do as a user. 2. Even if I know the configurations to be done, how do I implement those in a tomcat container running inside the Springboot application?

Ram
  • 327
  • 1
  • 4
  • 18
  • Do you have AJP configured? If not, this is false positive – Lemmy Apr 10 '20 at 05:17
  • Thanks for that response, Lemmy. Is it possible to configure the AJP in a spring boot application? How do I do that? Is there any link where you could guide me to, for this specific scenario? – Ram Apr 10 '20 at 13:14
  • there are a lot of examples for it - https://stackoverflow.com/questions/49275241/spring-boot-2-ajp, https://blog.swdev.ed.ac.uk/2015/06/24/adding-embedded-tomcat-ajp-support-to-a-spring-boot-application/ , https://gist.github.com/dosuser/bfcc243a2229c9ab3444daf072518e6a But my question is why you want to do that? Do you know what is AJP used for? – Lemmy Apr 10 '20 at 13:26
  • My intention is not to do anything with AJP. The whole intent is to get rid of the fortify issues. The following link says that some additional AJP related configurations can help is getting rid of the issue https://support.f5.com/csp/article/K53254186 That is the reason that I am asking about doing any configuration for AJP issue. I have mentioned the Fortify security issue in my main question – Ram Apr 10 '20 at 13:36
  • But as I said, if you are not using it then this is the false positive. AJP connector is not configured by default, you can check server.xml https://tomcat.apache.org/download-90.cgi – Lemmy Apr 10 '20 at 13:45
  • 1
    I take your words. Thanks a lot Lemmy. – Ram Apr 10 '20 at 13:49
  • 1
    I will go through the link you have provided. Highly appreciate the time you have taken out for me! – Ram Apr 10 '20 at 13:50

1 Answers1

0

As @Lemmy pointed out, Spring Boot does not create an AJP connector out the box (mentioned by snyk.io), so you weren't exposed to Ghostcast (that's the name of the vulnerability fixed in Tomcat versions 9.0.31). If you ever need to configure AJP connector, here is how you do it:

@Configuration
public class TomcatConfig {


  @Bean
  public TomcatServletWebServerFactory servletContainer() {
      TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
      Connector ajpConnector = new Connector("org.apache.coyote.ajp.AjpNioProtocol");
      AjpNioProtocol protocol= (AjpNioProtocol)ajpConnector.getProtocolHandler();
      protocol.setSecret("myapjsecret");
      ajpConnector.setPort(9090);
      ajpConnector.setSecure(true);
      tomcat.addAdditionalTomcatConnectors(ajpConnector);
      return tomcat;
  }
}

and you can find more information about this vulnerability e.g. here

Krzysztof Skrzynecki
  • 2,345
  • 27
  • 39