IMPORTANT - PASOE customers who use the Apache AJP Connector

Posted by David Cleary on 09-Apr-2020 17:46

For added convenience Progress Application Server (PAS) for OpenEdge includes Apache Tomcat AJP connector. A serious vulnerability has recently been discovered and published by the security community about this third-party component:

https://nvd.nist.gov/vuln/detail/CVE-2020-1938

In order to address this vulnerability Apache Tomcat project made a breaking change that requires customers to regenerate their instances and reconfigure the AJP connector. The Apache Tomcat community is also discussing deprecating the AJP in future versions of Tomcat due to the other options available today to connect front end Web Servers to Tomcat.

In determining how best to address this issue for our customers, it is important for us to understand how many customers are using AJP today and with what other components. If you are using AJP, please respond to this and provide:

1. What third party product you are using it with 

2. If you have evaluated any alternatives to AJP13 and the results of that evaluation.

3. If you use AJP13 and have not considered alternatives, would you now be inclined to do so given its possible deprecation?

 If you prefer to talk to us directly please let us know as well and we will try to reach you separately.

Thank you for your help,

Progress OpenEdge Product Team 

For added convenience Progress Application Server (PAS) for OpenEdge includes Apache Tomcat AJP connector. A serious vulnerability has recently been discovered and published by the security community about the Tomcat AJP connectorthis third-party component:.

·        https://nvd.nist.gov/vuln/detail/CVE-2020-1938

In order to address thisThe vulnerability required Apache Tomcat project to madke a breaking change. This means that customers who use the AJP connector would need to that requires customers to regenerate their instances and reconfigure the AJP connector. The Apache Tomcat community is also discussing deprecating the AJP in future versions of Tomcat due to the other options available today to connect front end Web Servers to Tomcat.

 

In determinizing how best to address this issue for our customers, it is important for us to understand how many customers are using AJP today and with what other components. If you are using AJP, please respond to this and provide:

1.      What third party product you are using it with

2.      If you have evaluated any alternatives to AJP13 and the results of that evaluation.

3.      If you use AJP13 and have not considered alternatives, would you now be inclined to do so given its possible deprecation?

 If you prefer to talk to us directly please let us know as well and we will try to reach you separately.

 
Thank you for your help,
Progress OpenEdge Product Team

All Replies

Posted by cbensinger on 13-Apr-2020 15:20

1) In some instances we are using an Apache front-end to communicate via the AJP connector.

2) As of now, we have not looked at an alternative.

3) It seems like we would not have much of a choice in that situation.

-Chuck Bensinger

-Osprey Retail

This thread is closed