5 - RHSA-2007:0379

Executive Summary

This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.

Summary
Title	mod_jk security update

Informations
Name	RHSA-2007:0379	First vendor Publication	2007-05-30
Vendor	RedHat	Last vendor Modification	2007-05-30
Severity (Vendor)	Important	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score	5	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated mod_jk packages that fix a security issue are now available for Red Hat Application Stack v1.1.

This update has been rated as having Important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) - i386, x86_64 Red Hat Application Stack v1 for Enterprise Linux ES (v.4) - i386, x86_64

3. Problem description:

mod_jk is a Tomcat connector that can be used to communicate between Tomcat and the Apache HTTP Server 2. mod_jk was first distributed with Red Hat Application Stack version 1.1 released on 19 February 2007.

Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content (CVE-2007-1860).

Users of mod_jk should upgrade to these updated packages, which address this issue by changing the default so mod_jk forwards the original unchanged request URL to Tomcat.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

237656 - CVE-2007-1860 mod_jk sends decoded URL to tomcat

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2007-0379.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:18548

Oval ID:	oval:org.mitre.oval:def:18548
Title:	DSA-1312-1 libapache-mod-jk
Description:	It was discovered that the Apache 1.3 connector for the Tomcat Java servlet engine decoded request URLs multiple times, which can lead to information disclosure.
Family:	unix	Class:	patch
Reference(s):	DSA-1312-1 CVE-2007-1860	Version:	5
Platform(s):	Debian GNU/Linux 4.0	Product(s):	libapache-mod-jk
Definition Synopsis:
Debian GNU/Linux 4.0 is installed. AND libapache-mod-jk DPKG is earlier than 1:1.2.18-3etch1

Definition Id: oval:org.mitre.oval:def:6002

Oval ID:	oval:org.mitre.oval:def:6002
Title:	HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS)
Description:	mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-1860	Version:	9
Platform(s):	HP-UX 11	Product(s):
Definition Synopsis:
Criteria meets HP Security Bulletin HPSBUX02262 platforms HP Release B.11.23 AND HP-UX B.11.31 AND HP Release B.11.11 AND hpuxwsAPACHE version is less than B.2.0.59.00 OR Criteria meets HP Security Bulletin HPSBUX02262 HP Release B.11.11 AND hpuxwsAPACHE version is less than A.2.0.59.00

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Tomcat Jk Web Server Connector cpe:2.3:a:apache:tomcat_jk_web_server_connector:1.2.20:::::::* cpe:2.3:a:apache:tomcat_jk_web_server_connector:1.2.19:::::::*	2

OpenVAS Exploits

Date	Description
2009-10-10	Name : SLES9: Security update for Tomcat File : nvt/sles9p5021793.nasl
2009-05-05	Name : HP-UX Update for Apache HPSBUX02262 File : nvt/gb_hp_ux_HPSBUX02262.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200708-15 (mod_jk) File : nvt/glsa_200708_15.nasl
2008-09-04	Name : FreeBSD Ports: mod_jk File : nvt/freebsd_mod_jk.nasl
2008-01-17	Name : Debian Security Advisory DSA 1312-1 (libapache-mod-jk) File : nvt/deb_1312_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
34877	Apache Tomcat JK Web Server Connector (mod_jk) Double Encoded Traversal Arbit... Apache Tomcat JK Web Server Connector contains a flaw that allows a remote attacker to access files on the AJP back-end outside of the web root. The issue is due to a failure of handling double encoded ".." in a URL, specifically directory traversal style attacks.

Nessus® Vulnerability Scanner

Date	Description
2010-01-10	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0261.nasl - Type : ACT_GATHER_INFO
2010-01-10	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0524.nasl - Type : ACT_GATHER_INFO
2009-09-24	Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12078.nasl - Type : ACT_GATHER_INFO
2008-03-04	Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_jk-4997.nasl - Type : ACT_GATHER_INFO
2008-02-29	Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_jk-4992.nasl - Type : ACT_GATHER_INFO
2008-02-27	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_tomcat5-4990.nasl - Type : ACT_GATHER_INFO
2007-08-21	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200708-15.nasl - Type : ACT_GATHER_INFO
2007-08-02	Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO
2007-06-21	Name : The remote Debian host is missing a security-related update. File : debian_DSA-1312.nasl - Type : ACT_GATHER_INFO
2007-06-05	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_d9405748134211dca35c001485ab073e.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
Oval ID(s)	2
CPE ID(s)	2
osvdb(s)	1
Openvas Exploit(s)	5
Nessus® Exploit(s)	10

	Related
5	CVE-2007-1860
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)