由于 Apache JServ 协议 (AJP) 连接中的更高权限，Apache Tomcat 容易受到信息泄露的影响 [英] Apache Tomcat is vulnerable to information disclosure due to higher privileges in Apache JServ Protocol (AJP) connections

问题描述

我最近加入了一个项目，工作是在 Spring Boot 应用程序上.该应用程序已经就位，我发现他们有一些工具(类似于 SONARQube)可以在部署期间运行以评估安全问题.我在 Apache tomcat 上发现了一组问题，并带有列出的描述

I joined a project recently and the work is on Spring boot application. The application is already in place and I found that they have some tool (similar to SONARQube) which runs during deployment to assess security issues. I found a set of issues on Apache tomcat with the listed description

Apache Tomcat 容易受到信息泄露的影响，因为 Apache JServ 协议 (AJP) 连接被授予比同等 HTTP 客户端更高的权限"

"Apache Tomcat is vulnerable to information disclosure due to Apache JServ Protocol (AJP) connections being given higher privileges than that of an equivalent HTTP client"

我们使用的 Springboot 版本是 2.2.3

The Springboot version that we are using is 2.2.3

请帮忙！

我的努力如下

我发现 AJP 在 Tomcat 9.0.30 版本之前有更多的特权Apache 人员在 9.0.31 及更高版本中收紧了泄漏.但他们声称用户将不得不做更多的配置，以下是我的问题0. 我尝试在 pom 文件中将 tomcat 9.0.31 作为单独的依赖项，但是，强化安全应用程序仍然存在同样的问题；所以不确定要做哪些配置1.第0点说，我找不到我作为用户需要做的那些配置.2、即使知道要进行的配置，如何在Springboot应用内运行的tomcat容器中实现?

I found that AJP has more previleges in Tomcat versions till 9.0.30 Apache people have tightened the leak in 9.0.31 and later versions.. But they claim that user would have to do few more configurations, and following are my issues here 0. I tried having tomcat 9.0.31 as a separate dependency in the pom file, but still, the fortify security app gives the same issue; So not sure what configurations to be done 1. point 0 said, I am unable to find what are those configurations that I need to do as a user. 2. Even if I know the configurations to be done, how do I implement those in a tomcat container running inside the Springboot application?

推荐答案

正如@Lemmy 指出的，Spring Boot 并没有创建一个开箱即用的 AJP 连接器(由 snyk.io)，因此您不会接触到Ghostcast(这就是名称Tomcat 版本 9.0.31 中修复的漏洞).如果您需要配置 AJP 连接器，请按以下方式操作:

As @Lemmy pointed out, Spring Boot does not create an AJP connector out the box (mentioned by snyk.io), so you weren't exposed to Ghostcast (that's the name of the vulnerability fixed in Tomcat versions 9.0.31). If you ever need to configure AJP connector, here is how you do it:

@Configuration
public class TomcatConfig {


  @Bean
  public TomcatServletWebServerFactory servletContainer() {
      TomcatServletWebServerFactory tomcat = new TomcatServletWebServerFactory();
      Connector ajpConnector = new Connector("org.apache.coyote.ajp.AjpNioProtocol");
      AjpNioProtocol protocol= (AjpNioProtocol)ajpConnector.getProtocolHandler();
      protocol.setSecret("myapjsecret");
      ajpConnector.setPort(9090);
      ajpConnector.setSecure(true);
      tomcat.addAdditionalTomcatConnectors(ajpConnector);
      return tomcat;
  }
}

您可以找到有关此漏洞的更多信息，例如这里

and you can find more information about this vulnerability e.g. here

这篇关于由于 Apache JServ 协议 (AJP) 连接中的更高权限，Apache Tomcat 容易受到信息泄露的影响的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！