top of page

Recommendations regarding the breach of security of Squash TF execution server

Updated: Jun 18, 2021


Il est conseillé de désactiver le protocole AJP de la configuration de Tomcat pour utiliser le serveur d'exécution Squash TF

Following Tomcat's security breach for versions 6.x to 9.x (all info here), we advise Squash TF users to modify Tomcat configuration and deactivate the Apache Jserv Protocol (which is active by default on port 8009).


You need to modify the apache-tomcat-8.5.16/conf/server.xml configuration file directly from the installation directory of the execution server and comment the following XML element :

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


All users who don't need AJP protocol should remove the related connector in their configuration, no need to reinstall the execution server.


For users creating a new execution server instance, we release a new Squash TF execution server version (release 2.3.1) in which AJP protocol will be deactivated by default. The related release note is available here : https://squash-tf.readthedocs.io/en/latest/_downloads/526f43a55e827892ea2156cff86e7f96/squash-tf-execution-server-2.3.1_en.md


For clients who do need the AJP protocol, we intend to provide you with a version upgrade of Tomcat server with a correction of the breach as soon as possible.

Comments


bottom of page