The version of Apache Tomcat JK Connector (mod_jk) installed on the remote host is version 1.2.x prior to 1.2.46. It is, therefore, affected by an access control bypass vulnerability due to improper handling of the Apache web server specific code that normalised the requested path before matching it to the URI-worker map.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

This update for apache2-mod_jk fixes the following issue :

Security issue fixed :

CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been discovered in libapache-mod-jk, the Apache 2 connector for the Tomcat Java servlet engine.

The libapache-mod-jk connector is susceptible to information disclosure and privilege escalation because of a mishandling of URL normalization.

The nature of the fix required that libapache-mod-jk in Debian 8 'Jessie' be updated to the latest upstream release. For reference, the upstream changes associated with each release version are documented here :

http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html

For Debian 8 'Jessie', this problem has been fixed in version 1.2.46-0+deb8u1.

We recommend that you upgrade your libapache-mod-jk packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0367 advisory.

    Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This     software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged     under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent     update experience.

    This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update     to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked     to in the References section.

    Security Fixes:

    * httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)

    * httpd: Weak Digest auth nonce generation in mod_auth_digest     (CVE-2018-1312)

    * httpd: Out of bound access after failure in reading the HTTP request     (CVE-2018-1301)

    * httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)

    * httpd: <FilesMatch> bypass with a trailing newline in the file name     (CVE-2017-15715)

    * httpd: Out of bound write in mod_authnz_ldap when using too small     Accept-Language values (CVE-2017-15710)

    * httpd: Out of bounds read in mod_cache_socache can allow a remote     attacker to cause a denial of service (CVE-2018-1303)

    * httpd: Improper handling of headers in mod_session can allow a remote     user to modify session data for CGI applications (CVE-2018-1283)

    * httpd: mod_http2: too much time allocated to workers, possibly leading to     DoS (CVE-2018-1333)

    * mod_jk: connector path traversal due to mishandled HTTP requests in httpd     (CVE-2018-11759)

    * nghttp2: Null pointer dereference when too large ALTSVC frame is received     (CVE-2018-1000168)

    * openssl: Handling of crafted recursive ASN.1 structures can cause a stack     overflow and resulting denial of service (CVE-2018-0739)

    Details around each issue, including information about the CVE, severity of     the issue, and the CVSS score, can be found on the CVE pages listed in the     Reference section below.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for apache2-mod_jk fixes the following issue :

Security issue fixed :

  - CVE-2018-11759: Fixed connector path traversal due to     mishandled HTTP requests in httpd (bsc#1114612).

This update was imported from the SUSE:SLE-15:Update update project.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by a vulnerability as referenced in the SUSE-SU-2023:4513-1 advisory.

  - The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the     URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases     correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible     for a specially constructed request to expose application functionality through the reverse proxy that was     not intended for clients accessing the application via the reverse proxy. It was also possible in some     configurations for a specially constructed request to bypass the access controls configured in httpd.
    While there is some overlap between this issue and CVE-2018-1323, they are not identical. (CVE-2018-11759)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Raphael Arrouas and Jean Lejeune discovered an access control bypass vulnerability in mod_jk, the Apache connector for the Tomcat Java servlet engine. The vulnerability is addressed by upgrading mod_jk to the new upstream version 1.2.46, which includes additional changes.

  -     https://tomcat.apache.org/connectors-doc/miscellaneous/c     hangelog.html#Changes_between_1.2.42_and_1.2.43
  -     https://tomcat.apache.org/connectors-doc/miscellaneous/c     hangelog.html#Changes_between_1.2.43_and_1.2.44

  -     https://tomcat.apache.org/connectors-doc/miscellaneous/c     hangelog.html#Changes_between_1.2.44_and_1.2.45

  -     https://tomcat.apache.org/connectors-doc/miscellaneous/c     hangelog.html#Changes_between_1.2.45_and_1.2.46

This update for apache2-mod_jk fixes the following issues :

Security issues fixed :

CVE-2018-11759: Fixed connector path traversal due to mishandled HTTP requests in httpd (bsc#1114612).

CVE-2014-8111: Apache Tomcat Connectors (mod_jk) ignored JkUnmount rules for subtrees of previous JkMount rules, which allowed remote attackers to access otherwise restricted artifacts via unspecified vectors (bsc#927845).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
98522	Apache Tomcat JK Connector 1.2.x < 1.2.46 Access Control Bypass	Web App Scanning	Component Vulnerability	3/25/2019	3/14/2023	high
119333	SUSE SLES12 Security Update : apache2-mod_jk (SUSE-SU-2018:3963-1)	Nessus	SuSE Local Security Checks	12/4/2018	7/17/2024	high
125666	SUSE SLES12 Security Update : apache2-mod_jk (SUSE-SU-2018:3963-2)	Nessus	SuSE Local Security Checks	6/3/2019	5/17/2024	high
119729	Debian DLA-1609-1 : libapache-mod-jk security update	Nessus	Debian Local Security Checks	12/18/2018	7/15/2024	high
122292	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)	Nessus	Red Hat Local Security Checks	2/19/2019	11/6/2024	critical
123393	openSUSE Security Update : apache2-mod_jk (openSUSE-2019-970)	Nessus	SuSE Local Security Checks	3/27/2019	6/7/2024	high
119543	openSUSE Security Update : apache2-mod_jk (openSUSE-2018-1510)	Nessus	SuSE Local Security Checks	12/10/2018	7/16/2024	high
186158	SUSE SLES15 / openSUSE 15 Security Update : apache2-mod_jk (SUSE-SU-2023:4513-1)	Nessus	SuSE Local Security Checks	11/22/2023	11/22/2023	high
119850	Debian DSA-4357-1 : libapache-mod-jk - security update	Nessus	Debian Local Security Checks	12/24/2018	7/15/2024	high
119336	SUSE SLES11 Security Update : apache2-mod_jk (SUSE-SU-2018:3970-1)	Nessus	SuSE Local Security Checks	12/4/2018	7/17/2024	high
120175	SUSE SLES15 Security Update : apache2-mod_jk (SUSE-SU-2018:3969-1)	Nessus	SuSE Local Security Checks	1/2/2019	7/9/2024	high

Detections

Analytics

Plugins Search

high

high

high

high

critical

high

high

high

high

high

high