How do I safely enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in AM (All versions)?
The purpose of this article is to provide information on the recommended ways to enable the org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH setting in AM. Setting this Apache Tomcat™ property to true can introduce a security vulnerability when Tomcat is deployed behind a reverse proxy.
2 readers recommend this article
The recommendations made in this article are not an exhaustive list of the potential mitigations, workarounds or remedies for this issue. These recommendations are provided without any warranty or liability to ForgeRock.
The advice in this article only applies to certain Tomcat versions because this property has been deprecated in the following versions and will be removed in Tomcat 10:
- Tomcat 9.0.34
- Tomcat 8.5.54
- Tomcat 7.0.104
It has been replaced with a new connector attribute: encodedSolidusHandling. See Apache Tomcat 9 Configuration Reference - Common Attributes and Apache Tomcat 9 Security Considerations - Connectors for further information on this attribute.
When Tomcat is deployed behind a reverse proxy, enabling this setting (org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true) can expose you to a directory traversal security vulnerability (CVE-2007-0450); see Apache Tomcat 6.x Vulnerabilities for further information. However, there are certain scenarios where enabling this setting is useful, for example:
- Making REST calls where the resource name includes a forward slash. This includes resources such as SAML2 entities, policy names, application names and user names.
- Importing or exporting configurations using Amster where the resource name includes a forward slash.
The best approach is to avoid resource names that contain forward slashes to avoid this issue completely.
If you already use this naming convention and do not wish to migrate away from such names at this time, you should consider the following suggested mitigations or workarounds if you need to enable this setting:
- Only enable the setting for a small window of time while you carry out a task that requires it (for example, Amster import, updating SAML entities etc) and then disable it again immediately afterwards.
- Only enable the setting on a server that has been removed from the load balancer or is otherwise unreachable from an untrusted network. For instance, consider having a dedicated AM admin UI server that is firewalled off from the internet and is just used to update the configuration store in LDAP.
- Ensure that Tomcat cannot read files outside of its context root (this is the default). If you must allow Tomcat to read files outside of the context root, then:
- ensure sensitive files are not readable from Tomcat or are installed into unpredictable locations (for example, rather than install AM into ~/am, install into ~/<some-long-random-string>).
- never enable directory listings.
- Adjust your reverse proxy URL filtering rules to match how Tomcat performs path handling (this may not be possible depending on how much control the reverse proxy provides).
400 response with json/users endpoint in AM (All versions) if username contains forward slash
400 response when adding or updating resources via REST or Amster when the resource name contains forward slashes in AM (All versions)
How do I mitigate brute force attacks in AM (All versions)?
Best practice for blocking the top level realm in a proxy for AM (All versions)
Related Issue Tracker IDs