Apache Tomcat is often used as the application server for CA SiteMinder Federation Services. On February 11th, 2020, the Ghostcat – Apache Tomcat AJP File Read/Inclusion Vulnerability (CNVD-2020-10487) was published (http://tomcat.apache.org/security-9.html). This vulnerability spanned multiple versions of Apache Tomcat. Apache Software Foundation recommended upgrading Apache Tomcat and the AJP connector.
In this brief post, we provide the entries for the workers.properties and server.xml files that support SiteMinder Federation Services.
After upgrading Apache Tomcat and the AJP connector, the bold entry below should be added to the workers.properties file:
worker.node1.type=ajp13
worker.node1.host=127.0.0.1
worker.node1.port=8009
worker.node1.connection_pool_size=50
worker.node1.secret={SharedSecret}
worker.node1.socket_timeout=60
Using a shared secret secures the connection between the web server and the application server. The following bold entries should be added to the server.xml.
<Connector protocol=”AJP/1.3″
address=”127.0.0.1″
port=”8009″
redirectPort=”8443″
requiredSecret=”{SharedSecret}”
allowedRequestAttributesPattern=”[\s\S]*” />
The “allowedRequestAttributesPattern” attribute will allow the Federation Application to generate and forward the assertion to the AJP connector. If this value is missing, the request will be rejected by Apache Tomcat and the assertion generation request will fail.
We hope this brief post will facilitate patching your Apache Tomcat Vulnerability. If you need assistance with Symantec SiteMinder or your IAM environment, please contact SIS.
