The purpose of this article is to address the AJP vulnerability for Wildfly. Due to application having AJP dependency, it is not possible to disable AJP listener. However, it is possible to add AJP secret key to address this vulnerability.
1. Make sure Infogix Assure or any Infogix application is deployed in Wildfly.
2. Open terminal (Wildfly/bin) and run jboss-cli.
3. Run "connect" to connect jboss-cli to server, it will connect and provide a shell to modify wildfly subsystem.
4. Run the below commands:
/subsystem=undertow/configuration=filter/expression-filter=secret-checker:add(expression="not equals(%{r,secret}, 'YOUR_AJP_SECRET') -> response-code(403)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=secret-checker:add(predicate="equals(%p,8009)")
Please note:
-
Instead of 'YOUR_AJP_SECRET' provide some complex number which is hard to guess. -
If customer is using httpd with modjk, mod_proxy, that need to be configured with ‘YOUR_AJP_SECRET’. -
If customer is using httpd with mod_cluster, it should use http/https instead of AJP. -
If it is the cluster wildfly envirenment, above commands need to be executed from the both nodes wildfly/bin directory
5. check the changes has been applied successfully -- Open Standalone-full-ha.xml and search for "secret-checker", both the above changes should be reflected. Please note that "standalone-full-ha.xml" is located at the configuration folder within wildfly directory. Example: wildfly/igx/configuration.
6. Restart the wildfly server.
Comments
0 comments
Please sign in to leave a comment.