Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information Disclosure

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by an information disclosure
vulnerability.

Description :

Based on the Server response header, the installation of the JK
Connector (mod_jk) in Apache Tomcat listening on the remote host is
version 1.2.x prior to 1.2.41. It is, therefore, affected by an
information disclosure vulnerability due to improper handling of the
'JkUnmount' directive and multiple, adjacent slashes in requests. A
remote attacker can exploit this to access restricted private
artifacts, resulting in the disclosure of sensitive information.

Note that Nessus has not tested for this issue but has instead relied
only on the application's self-reported version number.

See also :

http://www.nessus.org/u?a336ab81
https://svn.apache.org/viewvc?view=revision&revision=1647017

Solution :

Upgrade to mod_jk version 1.2.41 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 85513 ()

Bugtraq ID: 74265

CVE ID: CVE-2014-8111

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now