CVE-2020-1938

Jason Bullock September 12, 2022

I am trying to remedy a hit I am getting on Nessus for CVE-2020-1938. Atlassian states that in the install directory/conf/server.xml I will see,

==============================================================================================================
         AJP - Proxying Jira via Apache over HTTP or HTTPS

         If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
         See the following for more information:

            Apache - https://confluence.atlassian.com/x/QiJ9MQ
         ==============================================================================================================
        -->

        <!--
        <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/>
        -->

and if commented out it is not vulnerable. However I do not see this entry in the file at all. Because it is not in the file can I treat it as if it were in the file and uncommented and thus not vulnerable? 

1 answer

1 accepted

0 votes
Answer accepted
Srinatha T
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
September 13, 2022

Hi @Jason Bullock ,

Welcome to Atlassian community. 

By default confluence is shipped with only HTTP connectors configured and not AJP connectors. But you can customise and use an AJP connector but it has to be implemented from customers . The absence of the AJP connector entry is clear indication that it is not configured. So you should be good. 

Have a good day!

Thanks,

Srinath T 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS
AUG Leaders

Atlassian Community Events