Executive Summary
| Summary | |
|---|---|
| Title | mod_jk security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2009:0446 | First vendor Publication | 2009-04-23 |
| Vendor | RedHat | Last vendor Modification | 2009-04-23 |
| Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 2.6 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | High |
| Cvss Expoit Score | 4.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An updated mod_jk package that fixes a security issue is now available for Red Hat Application Stack v2. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: Red Hat Application Stack v2 for Enterprise Linux (v.5) - i386, x86_64 3. Description: mod_jk is an Apache Tomcat connector that allows Apache Tomcat and the Apache HTTP Server to communicate with each other. An information disclosure flaw was found in mod_jk. In certain situations, if a faulty client set the "Content-Length" header without providing data, or if a user sent repeated requests very quickly, one user may view a response intended for another user. (CVE-2008-5519) As well, the sample configuration files provided in the documentation have been updated to reflect recommended practice. All mod_jk users are advised to upgrade to this updated package. It provides mod_jk 1.2.28, which is not vulnerable to this issue. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 490201 - CVE-2008-5519 mod_jk: session information leak |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2009-0446.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-200 | Information Exposure |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:13218 | |||
| Oval ID: | oval:org.mitre.oval:def:13218 | ||
| Title: | DSA-1810-1 libapache-mod-jk -- information disclosure | ||
| Description: | An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated equests very quickly, one client could obtain a response intended for another client. For the stable distribution, this problem has been fixed in version 1:1.2.26-2+lenny1. The oldstable distribution, this problem has been fixed in version 1:1.2.18-3etch2. For the testing distribution and the unstable distribution, this problem has been fixed in version 1:1.2.26-2.1. We recommend that you upgrade your libapache-mod-jk packages. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1810-1 CVE-2008-5519 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | libapache-mod-jk |
| Definition Synopsis: | |||
| |||
| Definition Id: oval:org.mitre.oval:def:7824 | |||
| Oval ID: | oval:org.mitre.oval:def:7824 | ||
| Title: | DSA-1810 libapache-mod-jk -- information disclosure | ||
| Description: | An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1810 CVE-2008-5519 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 4.0 | Product(s): | libapache-mod-jk |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2010-02-03 | Name : Solaris Update for Apache 1.3 122911-19 File : nvt/gb_solaris_122911_19.nasl |
| 2010-02-03 | Name : Solaris Update for Apache 1.3 122912-19 File : nvt/gb_solaris_122912_19.nasl |
| 2009-11-11 | Name : SuSE Security Summary SUSE-SR:2009:018 File : nvt/suse_sr_2009_018.nasl |
| 2009-10-13 | Name : Solaris Update for tomcat security 114016-04 File : nvt/gb_solaris_114016_04.nasl |
| 2009-10-13 | Name : Solaris Update for tomcat security 114017-05 File : nvt/gb_solaris_114017_05.nasl |
| 2009-10-13 | Name : Solaris Update for Apache 1.3 122911-17 File : nvt/gb_solaris_122911_17.nasl |
| 2009-10-13 | Name : Solaris Update for Apache 1.3 122912-17 File : nvt/gb_solaris_122912_17.nasl |
| 2009-09-23 | Name : Solaris Update for tomcat security 114017-04 File : nvt/gb_solaris_114017_04.nasl |
| 2009-09-23 | Name : Solaris Update for Apache 1.3 122911-16 File : nvt/gb_solaris_122911_16.nasl |
| 2009-09-23 | Name : Solaris Update for Apache 1.3 122912-16 File : nvt/gb_solaris_122912_16.nasl |
| 2009-07-06 | Name : Gentoo Security Advisory GLSA 200906-04 (mod_jk) File : nvt/glsa_200906_04.nasl |
| 2009-06-15 | Name : RedHat Security Advisory RHSA-2009:1087 File : nvt/RHSA_2009_1087.nasl |
| 2009-04-28 | Name : RedHat Security Advisory RHSA-2009:0446 File : nvt/RHSA_2009_0446.nasl |
| 2009-04-17 | Name : Apache Tomcat mod_jk Information Disclosure Vulnerability File : nvt/gb_apache_tomcat_mod_jk_info_disc_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 53381 | Apache Tomcat JK Connector Content-Length Header Cross-user Information Discl... |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-06-14 | Name : The remote web server is prone to an information disclosure attack. File : mod_jk_1_2_27.nasl - Type : ACT_GATHER_INFO |
| 2010-01-10 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2009-1618.nasl - Type : ACT_GATHER_INFO |
| 2009-11-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_0_apache2-mod_jk-091028.nasl - Type : ACT_GATHER_INFO |
| 2009-11-05 | Name : The remote openSUSE host is missing a security update. File : suse_11_1_apache2-mod_jk-091028.nasl - Type : ACT_GATHER_INFO |
| 2009-11-05 | Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_jk-6599.nasl - Type : ACT_GATHER_INFO |
| 2009-06-30 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200906-04.nasl - Type : ACT_GATHER_INFO |
| 2009-06-03 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1810.nasl - Type : ACT_GATHER_INFO |
| 2006-07-18 | Name : The remote host is missing Sun Security Patch number 122911-37 File : solaris10_122911.nasl - Type : ACT_GATHER_INFO |
| 2006-07-18 | Name : The remote host is missing Sun Security Patch number 122912-37 File : solaris10_x86_122912.nasl - Type : ACT_GATHER_INFO |
| 2004-07-12 | Name : The remote host is missing Sun Security Patch number 114016-08 File : solaris9_114016.nasl - Type : ACT_GATHER_INFO |
| 2004-07-12 | Name : The remote host is missing Sun Security Patch number 114017-07 File : solaris9_x86_114017.nasl - Type : ACT_GATHER_INFO |
