Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,365,153
Community Members
 
Community Events
168
Community Groups

I am trying to remedy a hit I am getting on Nessus for CVE-2020-1938. Atlassian states that in the install directory/conf/server.xml I will see,

==============================================================================================================
         AJP - Proxying Jira via Apache over HTTP or HTTPS

         If you're proxying traffic to Jira using the AJP protocol, uncomment the following connector line
         See the following for more information:

            Apache - https://confluence.atlassian.com/x/QiJ9MQ
         ==============================================================================================================
        -->

        <!--
        <Connector port="8009" URIEncoding="UTF-8" enableLookups="false" protocol="AJP/1.3"/>
        -->

and if commented out it is not vulnerable. However I do not see this entry in the file at all. Because it is not in the file can I treat it as if it were in the file and uncommented and thus not vulnerable? 

1 answer

1 accepted

0 votes
Answer accepted
Srinatha T Atlassian Team Sep 13, 2022

Hi @Jason Bullock ,

Welcome to Atlassian community. 

By default confluence is shipped with only HTTP connectors configured and not AJP connectors. But you can customise and use an AJP connector but it has to be implemented from customers . The absence of the AJP connector entry is clear indication that it is not configured. So you should be good. 

Have a good day!

Thanks,

Srinath T 

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
TAGS

Atlassian Community Events