Rapid7 Vulnerability & Exploit Database

Unprotected Tomcat JK jkstatus management and diagnostics page

Back to Search

Unprotected Tomcat JK jkstatus management and diagnostics page

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
05/12/2008
Created
07/25/2018
Added
05/12/2008
Modified
06/20/2013

Description

JK is a technology which allows Apache Tomcat (or related servers like JBoss) to run behind another web server such as Apache, IIS, or iPlanet. JK provides a management and diagnostics web application called jkstatus that is often activated under the web application path /jkstatus.

The jkstatus application, in addition to allowing remote users to start, stop, and reconfigure the JK connector, allows remote clients to view detailed configuration information.

The jkstatus application is rarely needed in production environments and should be disabled in most cases. If access to jkstatus is required by remote administrators, the jkstatus URL should be configured to require authentication.

Solution(s)

  • fix-http-tomcat-jkstatus-accessible

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;