How to allow custom AJP request attributes after applying the CVE-2020-1938 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 6.4 Update 23+ or with the Security Patch applied to top of Update 22

Solution Verified - Updated

Environment

Red Hat JBoss Enterprise Application Platform (EAP) 6.4 Update 23+
Red Hat JBoss Enterprise Application Platform (EAP) 6.4 Update 22 plus the CVE-2020-1938 Security Patch

Issue

  • How to allow custom AJP request attributes after applying the CVE-2020-1938 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 6.4 Update 23+ or with the Security Patch applied to top of Update 22

Resolution

To allow arbitrary custom request attributes, set the system property using a regular expression for example:

-Dorg.apache.coyote.ajp.ALLOWED_REQUEST_ATTRIBUTES_PATTERN="attribute1|attribute2|attribute3"

The AJP protocol inherently passes some information from the reverse proxy to the AJP connector using request attributes. These standard allowed attributes are:

  • javax.servlet.request.cipher_suite

  • javax.servlet.request.key_size

  • javax.servlet.request.ssl_session

  • javax.servlet.request.X509Certificate

  • AJP_LOCAL_ADDR

  • AJP_REMOTE_PORT

  • AJP_SSL_PROTOCOL

  • JK_LB_ACTIVATION

  • CERT_ISSUER

  • CERT_SUBJECT

  • CERT_COOKIE

  • HTTPS_SERVER_SUBJECT

  • CERT_FLAGS

  • HTTPS_SECRETKEYSIZE

  • CERT_SERIALNUMBER

  • HTTPS_SERVER_ISSUER

  • HTTPS_KEYSIZE

Root Cause

Use of the AJP protocol requires additional security considerations because it allows greater direct manipulation of a request's internal data structures than the HTTP connectors. Particular attention should be paid to the values used for the address, secret, secretRequired and allowedRequestAttributesPattern attributes.

The AJP protocol supports the passing of arbitrary request attributes. Requests containing arbitrary request attributes will be rejected with a 403 response unless the entire attribute name matches the regular expression specified by the system property org.apache.coyote.ajp.ALLOWED_REQUEST_ATTRIBUTES_PATTERN. If not specified, the default value is null.

The reverse proxy passes various information to the AJP connector using request attributes through AJP protocol.

CVE-2020-1938 - jbossweb: AJP File Read/Inclusion Vulnerability

Related Solutions

For EAP 7 see: How to allow custom AJP request attributes after applying the CVE-2020-1745 AJP File Read/Inclusion Vulnerability fix in JBoss EAP 7.2 Update 8+ or with the Security Patch applied to top of Update 7

SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.