Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.

The version of Apache Tomcat JK Connector (mod_jk) installed on the remote host is version 1.2.x prior to 1.2.41. It is, therefore, affected by an information disclosure vulnerability due to improper handling of the 'JkUnmount' directive and multiple, adjacent slashes in requests. A remote attacker can exploit this to access restricted private artifacts, resulting in the disclosure of sensitive information.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

This update for apache2-mod_jk fixes the following issues :

Security issues fixed :

CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612).

CVE-2014-8111: Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of previous JkMount rules, which allowed remote attackers to access otherwise restricted artifacts via unspecified vectors (bsc#927845).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0848 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    It was found that a prior countermeasure in Apache WSS4J for     Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an     exception that permitted an attacker to determine the failure of the     attempted attack, thereby leaving WSS4J vulnerable to the attack.
    The original flaw allowed a remote attacker to recover the entire plain     text form of a symmetric key. (CVE-2015-0226)

    A flaw was found in the way PicketLink's Service Provider and Identity     Provider handled certain requests. A remote attacker could use this flaw to     log to a victim's account via PicketLink. (CVE-2015-0277)

    It was discovered that a JkUnmount rule for a subtree of a previous JkMount     rule could be ignored. This could allow a remote attacker to potentially     access a private artifact in a tree that would otherwise not be accessible     to them. (CVE-2014-8111)

    It was found that Apache WSS4J permitted bypass of the     requireSignedEncryptedDataElements configuration property via XML Signature     wrapping attacks. A remote attacker could use this flaw to modify the     contents of a signed request. (CVE-2015-0227)

    It was found that the Command Line Interface, as provided by Red Hat     Enterprise Application Platform, created a history file named     .jboss-cli-history in the user's home directory with insecure default file     permissions. This could allow a malicious local user to gain information     otherwise not accessible to them. (CVE-2014-3586)

    The CVE-2015-0277 issue was discovered by Ondrej Kotek of Red Hat.

    This release of JBoss Enterprise Application Platform also includes bug     fixes and enhancements. Documentation for these changes will be available     shortly from the JBoss Enterprise Application Platform 6.4.0 Release Notes,     linked to in the References.

    All users who require JBoss Enterprise Application Platform 6.4.0 on Red     Hat Enterprise Linux 7 should install these new packages. The JBoss server     process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Apache2 webserver was updated to fix several issues :

Security issues fixed :

  - The chunked transfer coding implementation in the Apache     HTTP Server did not properly parse chunk headers, which     allowed remote attackers to conduct HTTP request     smuggling attacks via a crafted request, related to     mishandling of large chunk-size values and invalid     chunk-extension characters in     modules/http/http_filters.c. [bsc#938728, CVE-2015-3183]

  - The LOGJAM security issue was addressed by: [bnc#931723     CVE-2015-4000]

  - changing the SSLCipherSuite cipherstring to disable     export cipher suites and deploy Ephemeral Elliptic-Curve     Diffie-Hellman (ECDHE) ciphers.

  - Adjust 'gensslcert' script to generate a strong and     unique Diffie Hellman Group and append it to the server     certificate file.

  - The ap_some_auth_required function in server/request.c     in the Apache HTTP Server 2.4.x did not consider that a     Require directive may be associated with an     authorization setting rather than an authentication     setting, which allowed remote attackers to bypass     intended access restrictions in opportunistic     circumstances by leveraging the presence of a module     that relies on the 2.2 API behavior. [bnc#938723     bnc#939516 CVE-2015-3185]

  - Tomcat mod_jk information leak due to incorrect     JkMount/JkUnmount directives processing [bnc#927845     CVE-2014-8111]

Other bugs fixed :

  - Now provides a suse_maintenance_mmn_# [bnc#915666].

  - Hard-coded modules in the %files [bnc#444878].

  - Fixed the IfModule directive around SSLSessionCache     [bnc#911159].

  - allow only TCP ports in Yast2 firewall files     [bnc#931002]

  - fixed a regression when some LDAP searches or     comparisons might be done with the wrong credentials     when a backend connection is reused [bnc#930228]

  - Fixed split-logfile2 script [bnc#869790]

  - remove the changed MODULE_MAGIC_NUMBER_MINOR from which     confuses modules the way that they expect functionality     that our apache does not provide [bnc#915666]

  - gensslcert: CN now defaults to `hostname -f`     [bnc#949766], fix help [bnc#949771]

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update for Red Hat JBoss Web Server 2.1.0 that fixes two security issues is now available for Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

A flaw was found in the way the mod_cluster manager processed certain MCMP messages. An attacker with access to the network from which MCMP messages are allowed to be sent could use this flaw to execute arbitrary JavaScript code in the mod_cluster manager web interface.
(CVE-2015-0298)

It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them. (CVE-2014-8111)

All users of Red Hat JBoss Web Server 2.1.0 are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect.

Based on the Server response header, the installation of the JK Connector (mod_jk) in Apache Tomcat listening on the remote host is version 1.2.x prior to 1.2.41. It is, therefore, affected by an information disclosure vulnerability due to improper handling of the 'JkUnmount' directive and multiple, adjacent slashes in requests. A remote attacker can exploit this to access restricted private artifacts, resulting in the disclosure of sensitive information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

NIST reports :

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.

Apache Tomcat Connectors (mod_jk) contains a flaw that is triggered due to the incorrect handling of the JkMount and JkUnmount directives, which can lead to the exposure of potentially sensitive information. 

An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.

For the squeeze distribution, this problem has been fixed in version 1:1.2.30-1squeeze2.

We recommend that you upgrade your libapache-mod-jk packages.

This update has been prepared by Markus Koschany.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An information disclosure flaw due to incorrect JkMount/JkUnmount directives processing was found in the Apache 2 module mod_jk to forward requests from the Apache web server to Tomcat. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0847 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    It was found that a prior countermeasure in Apache WSS4J for     Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an     exception that permitted an attacker to determine the failure of the     attempted attack, thereby leaving WSS4J vulnerable to the attack.
    The original flaw allowed a remote attacker to recover the entire plain     text form of a symmetric key. (CVE-2015-0226)

    It was found that Apache WSS4J permitted bypass of the     requireSignedEncryptedDataElements configuration property via XML Signature     wrapping attacks. A remote attacker could use this flaw to modify the     contents of a signed request. (CVE-2015-0227)

    It was discovered that a JkUnmount rule for a subtree of a previous JkMount     rule could be ignored. This could allow a remote attacker to potentially     access a private artifact in a tree that would otherwise not be accessible     to them. (CVE-2014-8111)

    A flaw was found in the way PicketLink's Service Provider and Identity     Provider handled certain requests. A remote attacker could use this flaw to     log to a victim's account via PicketLink. (CVE-2015-0277)

    It was found that the Command Line Interface, as provided by Red Hat     Enterprise Application Platform, created a history file named     .jboss-cli-history in the user's home directory with insecure default file     permissions. This could allow a malicious local user to gain information     otherwise not accessible to them. (CVE-2014-3586)

    The CVE-2015-0277 issue was discovered by Ondrej Kotek of Red Hat.

    This release of JBoss Enterprise Application Platform also includes bug     fixes and enhancements. Documentation for these changes will be available     shortly from the JBoss Enterprise Application Platform 6.4.0 Release Notes,     linked to in the References.

    All users who require JBoss Enterprise Application Platform 6.4.0 on Red     Hat Enterprise Linux 6 should install these new packages. The JBoss server     process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:0846 advisory.

    Red Hat JBoss Enterprise Application Platform 6 is a platform for Java     applications based on JBoss Application Server 7.

    It was found that a prior countermeasure in Apache WSS4J for     Bleichenbacher's attack on XML Encryption (CVE-2011-2487) threw an     exception that permitted an attacker to determine the failure of the     attempted attack, thereby leaving WSS4J vulnerable to the attack.
    The original flaw allowed a remote attacker to recover the entire plain     text form of a symmetric key. (CVE-2015-0226)

    It was found that Apache WSS4J permitted bypass of the     requireSignedEncryptedDataElements configuration property via XML Signature     wrapping attacks. A remote attacker could use this flaw to modify the     contents of a signed request. (CVE-2015-0227)

    It was discovered that a JkUnmount rule for a subtree of a previous JkMount     rule could be ignored. This could allow a remote attacker to potentially     access a private artifact in a tree that would otherwise not be accessible     to them. (CVE-2014-8111)

    A flaw was found in the way PicketLink's Service Provider and Identity     Provider handled certain requests. A remote attacker could use this flaw to     log to a victim's account via PicketLink. (CVE-2015-0277)

    It was found that the Command Line Interface, as provided by Red Hat     Enterprise Application Platform, created a history file named     .jboss-cli-history in the user's home directory with insecure default file     permissions. This could allow a malicious local user to gain information     otherwise not accessible to them. (CVE-2014-3586)

    The CVE-2015-0277 issue was discovered by Ondrej Kotek of Red Hat.

    This release of JBoss Enterprise Application Platform also includes bug     fixes and enhancements. Documentation for these changes will be available     shortly from the JBoss Enterprise Application Platform 6.4.0 Release Notes,     linked to in the References.

    All users who require JBoss Enterprise Application Platform 6.4.0 on Red     Hat Enterprise Linux 5 should install these new packages. The JBoss server     process must be restarted for the update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
98523	Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information Disclosure	Web App Scanning	Component Vulnerability	high
119336	SUSE SLES11 Security Update : apache2-mod_jk (SUSE-SU-2018:3970-1)	Nessus	SuSE Local Security Checks	high
112239	RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.0 update (Important) (RHSA-2015:0848)	Nessus	Red Hat Local Security Checks	high
86703	SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:1851-1) (Logjam)	Nessus	SuSE Local Security Checks	low
85563	RHEL 5 / 6 / 7 : JBoss Web Server (RHSA-2015:1642)	Nessus	Red Hat Local Security Checks	medium
85513	Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information Disclosure	Nessus	Web Servers	medium
85483	FreeBSD : mod_jk -- information disclosure (47aa4343-44fa-11e5-9daa-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	medium
8833	Apache Tomcat mod_jk < 1.2.41	Nessus Network Monitor	Web Servers	medium
84062	Debian DLA-240-1 : libapache-mod-jk security update	Nessus	Debian Local Security Checks	medium
83980	Debian DSA-3278-1 : libapache-mod-jk - security update	Nessus	Debian Local Security Checks	medium
82896	RHEL 6 : Red Hat JBoss Enterprise Application Platform 6.4.0 update (Important) (RHSA-2015:0847)	Nessus	Red Hat Local Security Checks	high
82895	RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.4.0 update (Important) (RHSA-2015:0846)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2014-8111

high

Tenable Plugins

high

high

high

low

medium

medium

medium

medium

medium

medium

high

high