I am trying to remedy a hit I am getting on Nessus for CVE-2020-1938. Atlassian states that in the install directory/conf/server.xml I will see,
============================================================================================================== AJP - Proxying Jira via Apache over HTTP or HTTPS If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line See the following for more information: Apache - https://confluence.atlassian.com/x/QiJ9MQ ============================================================================================================== --> <!-- <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/> -->
and if commented out it is not vulnerable. However I do not see this entry in the file at all. Because it is not in the file can I treat it as if it were in the file and uncommented and thus not vulnerable?
Hi @Jason Bullock ,
Welcome to Atlassian community.
By default confluence is shipped with only HTTP connectors configured and not AJP connectors. But you can customise and use an AJP connector but it has to be implemented from customers . The absence of the AJP connector entry is clear indication that it is not configured. So you should be good.
Have a good day!