

However, this configuration is at your own risk, as it may not have been fully certified against your current Pentaho version. This parameter is available in Apache HTTP Server 2.4.
Tomcat ajp connector example upgrade#
Tomcat ajp connector example software#
However, the connector does not start with Protocol handler start failed. Edit the C:Program FilesApache Software FoundationTomcat 8.5confserver.xml file and add the secretRequiredfalse option to the AJP/1.3 connector. If they are enabled and exposed, we recommend you upgrade to the latest Pentaho Service Pack where this vulnerability is addressed:įigure 1: Your Current Pentaho Version and Recommended Action The secretRequired'false' option added to AJP connector is server.xml.If AJP Connectors are disabled or the AJP ports are not accessible to untrusted users, you are not exposed to this vulnerability.We recommend that AJP Connectors be manually disabled unless you require them. Introduction Setting up the Apache web server on Ubuntu Enable the AJP Connector on Tomcat Configure which URLs to manage with Apache Add the JkUnMount. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, the AJP Connector is enabled by default, meaning it can listen on all configured IP addresses. If such connections are available to an attacker, they may be exploited in ways that may represent a risk. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. It is mainly used in a cluster or reverse proxy scenario where web servers communicate with application servers or servlet containers. The AJP is a binary protocol used by the Apache Tomcat webserver to communicate with the servlet container that sits behind the webserver using TCP connections. A recent vulnerability in Tomcat’s Apache JServ Protocol (AJP) Connector ( CVE-2020-1938) has raised concern among some Pentaho customers that they may be exposed to a security risk, specifically because of the vulnerability’s potential use for remote code execution.Īfter careful review, Pentaho recommends that an upgrade to Tomcat 8.5.51 is necessary if AJP connectors are enabled.
