Following Tomcat's security breach for versions 6.x to 9.x (all info here), we advise Squash TF users to modify Tomcat configuration and deactivate the Apache Jserv Protocol (which is active by default on port 8009).
You need to modify the apache-tomcat-8.5.16/conf/server.xml configuration file directly from the installation directory of the execution server and comment the following XML element :
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
All users who don't need AJP protocol should remove the related connector in their configuration, no need to reinstall the execution server.
For users creating a new execution server instance, we release a new Squash TF execution server version (release 2.3.1) in which AJP protocol will be deactivated by default. The related release note is available here : https://squash-tf.readthedocs.io/en/latest/_downloads/526f43a55e827892ea2156cff86e7f96/squash-tf-execution-server-2.3.1_en.md
For clients who do need the AJP protocol, we intend to provide you with a version upgrade of Tomcat server with a correction of the breach as soon as possible.
Comments