The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: information disclosure via mod_jk

Synthesis of the vulnerability 

In some cases, the mod_jk module can send to the client data belonging to another user.
Impacted systems: Tomcat, Debian, NLD, OES, openSUSE, Solaris, RHEL, SLES.
Severity of this alert: 2/4.
Creation date: 08/04/2009.
Références of this alert: 262468, 6828821, BID-34412, CVE-2008-5519, DSA-1810-1, RHSA-2009:0446-01, RHSA-2009:1087-01, RHSA-2009:1618-01, SUSE-SR:2009:018, SUSE-SR:2009:020, VIGILANCE-VUL-8609.

Description of the vulnerability 

The mod_jk module is the interface between the Apache Tomcat server and the web server.

An AJP (Apache JServ Protocol) request is composed of:
 - an header
 - a body ("POST") if the Content-Length header was used

However, if the client uses a Content-Length header with no body (or if requests are too fast), the mod_jk module desynchronizes. Data belonging to another user can thus be returned to the client.

In some cases, the mod_jk module can therefore send to the client data belonging to another user.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat impacts software or systems such as Tomcat, Debian, NLD, OES, openSUSE, Solaris, RHEL, SLES.

Our Vigil@nce team determined that the severity of this computer threat is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this cybersecurity bulletin.

Solutions for this threat 

mod_jk: version 1.2.27.
Version 1.2.27 is corrected:
  http://tomcat.apache.org/

Debian: new libapache-mod-jk packages.
New packages are available:
  http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_*.deb
  http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_*.deb

Red Hat Network Satellite Server 5.1 and 5.2: new mod_jk packages.
New packages are available:
  mod_jk-1.2.25-10

RHAS v2: new mod_jk packages (09/06/2009).
New packages are available:
Red Hat Application Server v2: mod_jk-1.2.28-1jpp_3rh

RHAS v2: new mod_jk packages (24/04/2009).
New packages are available:
  mod_jk-1.2.28-1.el5s2

Solaris: patch for mod_jk.
A patch is available:
SPARC Platform
  Solaris 10 : patch 122911-16
  Solaris 9 : patch 114016-04
x86 Platform
  Solaris 10 : patch 122912-16
  Solaris 9 : patch 114017-04

SUSE: new packages (12/01/2010).
New packages are available, as indicated in information sources.

SUSE: new packages (12/11/2009).
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.