How to allow custom AJP request attributes after applying the CVE-2020-1745 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 7.2 Update 8+ or with the Security Patch applied to top of Update 7
Environment
Red Hat JBoss Enterprise Application Platform (EAP) 7.2 Update 8+
Red Hat JBoss Enterprise Application Platform (EAP) 7.2 Update 7 plus the CVE-2020-1745 Security Patch
Issue
- How to allow custom AJP request attributes after applying the CVE-2020-1745 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 7.2 Update 7+
Resolution
To allow arbitrary custom request attributes, set the system property using a regular expression for example:
-Dio.undertow.ajp.allowedRequestAttributesPattern="attribute1|attribute2|attribute3"
The AJP protocol inherently passes some information from the reverse proxy to the AJP connector using request attributes. These standard allowed attributes are:
- context
- servlet_path
- remote_user
- auth_type
- query_string
- route
- ssl_cert
- ssl_cipher
- ssl_session
- req_attribute
- ssl_key_size
- secret
- stored_method
Root Cause
Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of a request's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.
The AJP protocol supports the passing of arbitrary request attributes. The reverse proxy can pass various information to the AJP connector using request attributes through AJP protocol.
Unrecognized request attributes will be ignored unless the attribute name matches this regular expression specified by the system property io.undertow.ajp.allowedRequestAttributesPattern. If not specified, the default value is null.
CVE-2020-1745 - undertow: AJP File Read/Inclusion Vulnerability
Related Solutions:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.