Rapid7 Vulnerability & Exploit Database

RHSA-2007:0380: mod_jk security update

Back to Search

RHSA-2007:0380: mod_jk security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
05/25/2007
Created
07/25/2018
Added
11/26/2007
Modified
07/04/2017

Description

Updated mod_jk packages that fix a security issue are now available for Red Hat Application Server. This update has been rated as having Important security impact by the Red Hat Security Response Team.

mod_jk is a Tomcat connector that can be used to communicate between Tomcat and the Apache HTTP Server 2. Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content (CVE-2007-1860). Users of mod_jk should upgrade to these updated packages, which address this issue by changing the default so mod_jk forwards the original unchanged request URL to Tomcat.

Solution(s)

  • redhat-upgrade-mod_jk-ap20
  • redhat-upgrade-mod_jk-manual

References

  • redhat-upgrade-mod_jk-ap20
  • redhat-upgrade-mod_jk-manual

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;