Update: Apache Tomcat Vulnerability

Which lines exactly am I commenting out in my server.xml?

<!-- Define an AJP 1.3 Connector on port 8009 -->
   <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443"/>

@austin_nill That's basically it.

<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Don't think it's more complicated than that.

What’s the location of that file?

Why not update Tomcat to the patched Version?

@jdh1979 Depends on server OS...
https://docs.jamf.com/10.19.0/jamf-pro/install-guide-linux/Installed_Files_and_Folders.html
/usr/local/jss/tomcat/conf/server.xml

https://docs.jamf.com/10.19.0/jamf-pro/install-guide-windows/Installed_Files_and_Folders.html
C:Program FilesJSSTomcatconfserver.xml

I’m on macOS 10.14.

@jdh1979 for macOS, its in /Library/JSS/Tomcat/conf/server.xml

So, question, what will this impact if we comment out that line? Does JAMF use the AJP connector functionality at all? Can we test to see if AJP is used, if so, how do we go about that?

Is there a way to find out which version of Tomcat we are running with JAMF? Looking through some of the config files now, but on Windows Server 2012 R2, I don't see Apache installed as its own thing in Program and Features, so I imagine it's embedded in the JAMF install?

Found the versions of Tomcat with JAMF Pro installed: https://www.jamf.com/jamf-nation/articles/380/apache-tomcat-versions-installed-by-the-jamf-pro-installer

I've just tried editing /Library/JSS/Tomcat/conf/server.xml by commenting out the AJP section so it looks like this:

<!-- Define an AJP 1.3 Connector on port 8009 -->
<!-- <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Bounced Tomcat and the JSS won't startup. Reverted it back (bouncing Tomcat after each change) and it starts up fine.

Not sure what I'm doing wrong. Seems so simple; getting unexpected results.

Never mind. I'm an idiot. I thought I was commenting out the line but wasn't. Too early; need caffeine.

@H3144-IT - great question. If you are doing manual installs of Jamf Pro in your environment, upgrading to the patched version of Apache Tomcat is a valid remediation as well. For people using the installer, since there are pathing changes, we recommend commenting out the AJP connector for ease of continuous upgrades.

@jdionne - No Jamf products use the AJP connector, we use the HTTP connector in the server.xml, making commenting out this connector in our opinion the easiest path to remediation, if you use our installers, until our next major release of Jamf Pro.

@jdionne I have the same ask into Jamf about the potential impact of commenting out that line of code in the server.xml. A perfectly good question in my opinion. I see all it does is redirect traffic, but I am not aware of what would use port 8009..

For others, you can find the specific version of Apache you have via the Jamf Summary as well.

So macOS Firewall. How do you block a single incoming port on the macOS Firewall? I can block all incoming but not really wanting to do that. Thanks in advance.

@damienbarrett I got the same thing, so I reverted back to having it 'working'. Couldn't reach our JAMF instance locally (on an Azure server) or from an external computer (Macbook in this case).

At this point, with it now up and working, I will leave it as-is. I'll see if I can get a firewall rule on the Azure server to block on port 8009, though.

Question: When I comment out the line below, Tomcat will not restart. Is anyone else having this problem?
<!-- <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> --&gt; -->

@Jennifer.Green I've done 3 servers thus far that were on 10.19. No issues whatsoever.

@benducklow, I am running 10.18, could this be the problem? Should an upgrade to 10.19 occur and then make the change to the server.xml file?

Thank you - Jen

Hey folks, if you’re having issues, please don’t hesitate to reach out to Support.

Commenting out the connector is not dependent on the version of Jamf Pro you’re running.

Thanks!

@scafide Will this be fixed in the 10.20 release installers?

To everybody that has problems after commenting out that line: You are most likely facing a feature on xml that does not allow nested comments. So make sure you only comment out that one line, or simply remove it, do not try to span your comment including the comment above the line in question. I fell into the same trap ...good that I can still learn a bit from my mistakes...

@sgorney Yes, the next major release of Jamf Pro will have installers which contain the most recent version of Apache Tomcat, which has this mitigation enabled by default.

Hello Folks,

Reviewing the thread thus far @austin_nill and @damienbarrett It appears your comments show the same syntax yet @damienbarrett you say this did not work for you. Can you elaborate?
Can you provide syntax that did work?

@Jennifer.Green

Looking at yoru screenshot you have a additional characters?

Yours : <!-- <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> --&gt; -->

How it should look: <!-- <Connector URIEncoding="UTF-8" port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->

Not sure if that matters, but I'd start there.

Cheers
Lee

@Jennifer.Green aside from this forum possibly mangling your exact syntax (and pardon if obvious), the start <!-- and ending --> should effectively comment-out lines in question, specifically the AJP Connection mention at start of this post. Depending on how you edited the server.xml file, perhaps your perms got changed, which would affect starting of Tomcat. Owner and group should both be jamftomcat . Hope that helps and you are back up and running.

Sounds like @damienbarrett sorted out his issue already?