Vulnerability CVE-2020-13934 - Questions about updating Tomcat

Hi there,

I work on a team that has an application using Lucee 5 on Windows Servers (2012 R2 and above). Recently, a new vulnerability came to light which requires an update to Tomcat 9.0.37. As this is my first post here, just a note: I personally am just making the jump from tech support to dev. Much to learn :slight_smile:

Here is a reference to the vulnerability:
https://nvd.nist.gov/vuln/detail/CVE-2020-13934

Our product used to use Lucee 4.5. At that time, our process for updating Tomcat was to update the files in lucee/tomcat/lib with the files from the corresponding folder in the Tomcat core zip file (downloaded from the Tomcate website). That process doesn’t seem to work at our current version of Lucee, as neither our application site, nor the Lucee web/server admin pages come up afterwards. The request just spins forever.

I did not see any errors in the Lucee logs that jumped out at me.

I’d like to learn the best process for updating Tomcat in this kind of environment.

tldr;
Has anybody had any experience making the update of Tomcat for Lucee 5.x on Windows servers? If so, what is your process?

Generally it works just fine if you update the lib and bin directories with the files from new version as long as you stick to the same major version of Tomcat. For example you don’t want to switch from Tomcat 7 to Tomcat 9 as you will likely require additional configuration changes. But going from 9.0.x to 9.0.y should generally be an easy upgrade.

Another possibility for error here is that one of the more recent Tomcat updates made a potentially breaking change to the default configuration if you are using AJP (look in your server.xml and see if you have the AJP protocol enabled). If so then a shared secret is required to be configured by default.

Hope that helps!

–
Pete Freitag
Foundeo Inc.
Makers of CF Security Tools: Fixinator, FuseGuard & HackMyCF

Thank you very much, Pete! That did the trick.

I was able to implement this successfully. For anyone who needs to do this, these were our steps:

  1. Choose a phrase to use as a shared secret. For this example, I’m using “someSecret”.
  2. In the Lucee installation directory, in lucee/tomcat/conf directory, edit the file server.xml.
  3. On the line after <!-- Define an AJP 1.3 Connector on port 8009 -->, add your new secret with secret=“someSecret” into the tag. Save the file. It will look something like this:
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" secret="someSecret" />
  1. Edit the BonCodeAJP13.settings file in the Windows directory. After the element <ModCFMLSecret/>, add <RequestSecret>someSecret</RequestSecret>. Save the file.
  2. Restart the Lucee service and perform an IIS reset.

@Northwest Thanks for posting back. Glad you worked it out. A little reminder, just in case you are also getting hit by the same issue of tomcat 9 I had with Windows Server 2012, here is a post regarding that and @Zackster awesome solution to resolve it.

https://lucee.daemonite.io/t/tomcat-cve-2020-1938-ghostcat-ajp/6650/20?u=andreas

That’s super helpful, @andreas! Kudos to @Zackster for his post. We might need to implement that as well.