The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: information disclosure via mod_proxy_ajp

Synthesis of the vulnerability 

In some cases, the mod_proxy_ajp module can send to the client data belonging to another user.
Impacted systems: Apache httpd, JBoss AS OpenSource, Mandriva Linux, OpenSolaris, Solaris, RHEL, Slackware.
Severity of this alert: 2/4.
Creation date: 23/04/2009.
Références of this alert: 46949, BID-34663, CVE-2009-1191, MDVSA-2009:102, MDVSA-2009:323, RHSA-2009:1058-01, SSA:2009-214-01, VIGILANCE-VUL-8669.

Description of the vulnerability 

The mod_proxy_ajp module is the interface between the Apache httpd server and the Apache Tomcat server.

An AJP (Apache JServ Protocol) request is composed of:
 - an header
 - a body ("POST")

However, if the client closes the session before sending the body, the mod_proxy_ajp module of Apache httpd 2.2.11 desynchronizes. Data belonging to another user can thus be returned to the client. This vulnerability is different from VIGILANCE-VUL-8609.

In some cases, the mod_proxy_ajp module can therefore send to the client data belonging to another user.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability bulletin impacts software or systems such as Apache httpd, JBoss AS OpenSource, Mandriva Linux, OpenSolaris, Solaris, RHEL, Slackware.

Our Vigil@nce team determined that the severity of this vulnerability bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat note.

Solutions for this threat 

Apache httpd: version 2.2.12.
Version 2.2.12 is corrected:
  http://httpd.apache.org/

Apache httpd: patch for mod_proxy_ajp.
A patch is available in information sources.

Mandriva 2008.0: new apache packages.
New packages are available:
  apache-2.2.6-8.3mdv2008.0

Mandriva: new apache packages.
New packages are available:
 Mandriva Linux 2009.1: apache-2.2.11-10.1mdv2009.1

OpenSolaris: build for Apache.
The build 124 is available.

RHEL JBoss: new httpd packages.
New packages are available:
JBoss Enterprise Web Server 4AS-JBEWS-5.0.0:
  httpd22-2.2.10-16.1.ep5.el4
JBoss Enterprise Web Server 4ES-JBEWS-5.0.0:
  httpd22-2.2.10-16.1.ep5.el4
JBoss Enterprise Web Server 5Server-JBEWS-5.0.0:
  httpd-2.2.10-4.ep5.el5

Slackware: new httpd packages.
New packages are available:
Slackware 12.0:
ftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/httpd-2.2.12-i486-1_slack12.0.tgz
Slackware 12.1:
ftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/httpd-2.2.12-i486-1_slack12.1.tgz
Slackware 12.2:
ftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/httpd-2.2.12-i486-1_slack12.2.tgz

Solaris: patch for Apache.
A patch is available:
OpenSolaris snv_111b :
  6972023
  6937352
  6864797
  6935576
  6936032
  6882208
  6857346
  6841115
  6838652
  6844352
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerabilities alerts. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.