XMLWordPrintable

    Details

    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      For security reasons (CVE-2020-1938), AJP is now disabled by default. To re-enabled it, the following properties must be defined:

      nuxeo.server.ajp.enabled=true
      nuxeo.server.ajp.secretRequired=true
      nuxeo.server.ajp.secret=changeme
      

      The secret must also be mentioned in the mod_proxy_ajp configuration, see https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html for more.

      If one is sure that the AJP port cannot be accessed by any untrusted hosts, then the following configuration is possible:

      nuxeo.server.ajp.enabled=true
      nuxeo.server.ajp.secretRequired=false
      
      Show
      For security reasons (CVE-2020-1938), AJP is now disabled by default. To re-enabled it, the following properties must be defined: nuxeo.server.ajp.enabled=true nuxeo.server.ajp.secretRequired=true nuxeo.server.ajp.secret=changeme The secret must also be mentioned in the mod_proxy_ajp configuration, see https://httpd.apache.org/docs/trunk/mod/mod_proxy_ajp.html for more. If one is sure that the AJP port cannot be accessed by any untrusted hosts, then the following configuration is possible: nuxeo.server.ajp.enabled=true nuxeo.server.ajp.secretRequired=false
    • Team:
      FG
    • Sprint:
      nxFG 11.1.12

      Description

      Since Tomcat 9.0.31 (master, 10.10-HF23) and Tomcat 8.5.51 (9.10-HF41) the AJP connector, which has been commented-out in default Tomcat, now starts in error in Nuxeo:

      2020-02-25 18:15:57.241 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to start component [Connector[AJP/1.3-8009]]
      	org.apache.catalina.LifecycleException: Protocol handler start failed
      		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
      		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
      		at org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
      		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
      		at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
      		at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
      		at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
      		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      		at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      		at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      		at java.base/java.lang.reflect.Method.invoke(Method.java:566)
      		at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
      		at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
      	Caused by: java.lang.IllegalArgumentException: The AJP Connector is configured with secretRequired="true" but the secret attribute is either null or "". This combination is not valid.
      		at org.apache.coyote.ajp.AbstractAjpProtocol.start(AbstractAjpProtocol.java:264)
      		at org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
      		... 12 more
      

      See https://www.mail-archive.com/announce@tomcat.apache.org/msg00398.html for more.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  PagerDuty

                  Error rendering 'com.pagerduty.jira-server-plugin:PagerDuty'. Please contact your Jira administrators.