Apache Tomcat JK Connector Content-Length Header Cross-User Information Disclosure

This script is Copyright (C) 2010-2011 Tenable Network Security, Inc.


Synopsis :

The remote web server is prone to an information disclosure attack.

Description :

Based on the version in the Server response header, the installation
of the JK Connector (aka mod_jk) in Apache Tomcat listening on the
remote host is a version of 1.2.x before 1.2.27. Such versions
reportedly may allow a remote attacker to view the response associated
with a different user's request either by sending a request with a
Content-Length but without any data or by sending repeated requests
very quickly.

Note that Nessus did not actually test for the flaw but instead has
relied on the version in the Server response header so this may be a
false positive.

See also :

http://www.securityfocus.com/archive/1/502530

Solution :

Upgrade to mod_jk 1.2.27 or later.

Risk factor :

Low / CVSS Base Score : 2.6
(CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 2.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 46885 ()

Bugtraq ID: 34412

CVE ID: CVE-2008-5519