The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/29/16

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/02/16

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Nov/12/15

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Jul/13/15

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/15/14

SunOS 5.10_x86: Apache 1.3 Patch.
Date this patch was last updated by Sun : Jul/11/13

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/29/16

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/02/16

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Nov/12/15

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Jul/13/15

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Mar/15/14

SunOS 5.10: Apache 1.3 Patch.
Date this patch was last updated by Sun : Jul/11/13

Based on the Server response header, the installation of the JK Connector (mod_jk) in Apache Tomcat listening on the remote host is version 1.2.x prior to 1.2.27. It is, therefore, affected by an information disclosure vulnerability. A remote attacker can view the response associated with a different user's request, either by sending a request with a Content-Length without data or by sending repeated requests very quickly. 

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An updated mod_jk package that fixes one security issue is now available for Red Hat Network Satellite Server 5.1 and 5.2.

This update has been rated as having low security impact by the Red Hat Security Response Team.

mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the Apache HTTP Server to communicate with each other.

An information disclosure flaw was found in mod_jk. In certain situations, if a faulty client set the 'Content-Length' header without providing data, or if a user sent repeated requests very quickly, one user may view a response intended for another user. (CVE-2008-5519)

Note: Red Hat Network Satellite Server is the only client that has access to mod_jk on the system, and as such, the exposure and risk of this issue is low.

Users of Red Hat Network Satellite Server 5.1 and 5.2 are advised to upgrade to this updated mod_jk package, which contains a backported patch to correct this issue.

Certain HTTP request could confuse the JK connector in Apache Tomcat which could result in a user seeing responses destined for other users (CVE-2008-5519).

The remote host is affected by the vulnerability described in GLSA-200906-04 (Apache Tomcat JK Connector: Information disclosure)

    The Red Hat Security Response Team discovered that mod_jk does not     properly handle (1) requests setting the 'Content-Length' header while     not providing data and (2) clients sending repeated requests very     quickly.
  Impact :

    A remote attacker could send specially crafted requests or a large     number of requests at a time, possibly resulting in the disclosure of a     response intended for another client.
  Workaround :

    There is no known workaround at this time.

An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the 'Content-Length' header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client.

The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2.

The remote host is running the Apache Tomcat web server with mod_jk

.  mod_jk is reported vulnerable to an information disclosure flaw due to the way that it processes 'Content-Length' headers.  Allegedly, an attacker supplying a NULL content-length can view the HTTP responses of other requests.  An attacker exploiting this flaw would be able to possibly gain access to confidential data. 

SunOS 5.9_x86: tomcat security patch.
Date this patch was last updated by Sun : May/27/11

SunOS 5.9: tomcat security patch.
Date this patch was last updated by Sun : Jul/27/11

mod_jk is reported vulnerable to an information disclosure flaw due to the way that it processes 'Content-Length' headers.  Allegedly, an attacker supplying a NULL content-length can view the HTTP responses of other requests.  An attacker exploiting this flaw would be able to possibly gain access to confidential data.

ID	Name	Product	Family	Severity
107888	Solaris 10 (x86) : 122912-37	Nessus	Solaris Local Security Checks	medium
107887	Solaris 10 (x86) : 122912-36	Nessus	Solaris Local Security Checks	medium
107886	Solaris 10 (x86) : 122912-35	Nessus	Solaris Local Security Checks	medium
107885	Solaris 10 (x86) : 122912-34	Nessus	Solaris Local Security Checks	medium
107884	Solaris 10 (x86) : 122912-33	Nessus	Solaris Local Security Checks	medium
107883	Solaris 10 (x86) : 122912-32	Nessus	Solaris Local Security Checks	medium
107386	Solaris 10 (sparc) : 122911-37	Nessus	Solaris Local Security Checks	medium
107385	Solaris 10 (sparc) : 122911-36	Nessus	Solaris Local Security Checks	medium
107384	Solaris 10 (sparc) : 122911-35	Nessus	Solaris Local Security Checks	medium
107383	Solaris 10 (sparc) : 122911-34	Nessus	Solaris Local Security Checks	medium
107382	Solaris 10 (sparc) : 122911-33	Nessus	Solaris Local Security Checks	medium
107381	Solaris 10 (sparc) : 122911-32	Nessus	Solaris Local Security Checks	medium
46885	Apache Tomcat JK Connector Content-Length Header Cross-User Information Disclosure	Nessus	Web Servers	low
43846	RHEL 4 : mod_jk in Satellite Server (RHSA-2009:1618)	Nessus	Red Hat Local Security Checks	low
42397	openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-6599)	Nessus	SuSE Local Security Checks	low
42392	openSUSE Security Update : apache2-mod_jk (apache2-mod_jk-1479)	Nessus	SuSE Local Security Checks	low
42389	openSUSE Security Update : apache2-mod_jk (apache2-mod_jk-1479)	Nessus	SuSE Local Security Checks	low
39571	GLSA-200906-04 : Apache Tomcat JK Connector: Information disclosure	Nessus	Gentoo Local Security Checks	low
38991	Debian DSA-1810-1 : libapache-mod-jk - information disclosure	Nessus	Debian Local Security Checks	low
4984	Apache TomCat mod_jk < 1.2.27 Cross-user Information Disclosure	Nessus Network Monitor	Web Servers	medium
13588	Solaris 9 (x86) : 114017-07	Nessus	Solaris Local Security Checks	low
13547	Solaris 9 (sparc) : 114016-08	Nessus	Solaris Local Security Checks	low
800629	Apache TomCat mod_jk < 1.2.27 Cross-user Information Disclosure	Log Correlation Engine	Web Servers	low

Detections

Analytics

CVE-2008-5519

high

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

low

low

low

low

low

low

low

medium

low

low

low