The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat, mod_jk: buffer overflow of map_uri_to_worker

Synthesis of the vulnerability 

An attacker can generate an overflow in mod_jk, in order to generate a denial of service or to execute code.
Impacted software: Tomcat, HP-UX, Windows (platform) ~ not comprehensive, RHEL, Unix (platform) ~ not comprehensive.
Severity of this computer vulnerability: 3/4.
Creation date: 05/03/2007.
Revisions dates: 25/06/2007, 09/07/2007, 21/07/2008.
Références of this announce: BID-22791, c01178795, CERTA-2007-AVI-108, CVE-2007-0774, HPSBUX02262, RHSA-2007:0096-01, SSRT071447, VIGILANCE-VUL-6604, ZDI-07-008.

Description of the vulnerability 

Tomcat JK Connectors provides the mod_jk connector to connect Tomcat with Apache httpd web server.

When size of an url is over 4095 bytes, an overflow occurs in map_uri_to_worker() function of native/common/jk_uri_worker_map.c.

An attacker can therefore create an overflow in mod_jk, in order to generate a denial of service or to execute code.

Only 1.2.19 and 1.2.20 versions of JK Connector are vulnerable. These versions are included in Tomcat 5.5.20 and Tomcat 4.1.34 only.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability bulletin impacts software or systems such as Tomcat, HP-UX, Windows (platform) ~ not comprehensive, RHEL, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this security note is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this cybersecurity note.

Solutions for this threat 

Tomcat JK Connector, mod_jk: version 1.2.21.
Version 1.2.21 is corrected:
  http://www.apache.org/dist/tomcat/tomcat-connectors/jk/
A workaround is to limit uri lenght via the LimitRequestLine directive of Apache httpd.

Tomcat: version 5.5.23 [5.5.22, 5.5.21].
Version 5.5.23 is corrected:
  http://tomcat.apache.org/
Note: versions 5.5.21 and 5.5.22 were not published.

HP-UX: version Apache-based Web Server.
Version is corrected:
  HP-UX Apache-based Web Server v.2.18
Solution depends on version:
For IPv4:
 - HP-UX B.11.11 :
      install A.2.0.59.00
For IPv6:
 - HP-UX B.11.11
 - HP-UX B.11.23
 - HP-UX B.11.31
      install B.2.0.59.00

Red Hat Application Stack: new mod_jk packages.
New packages are available:
Red Hat Application Stack v1 for Enterprise Linux v.4: mod_jk-1.2.20-1.el4s1.2
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computers vulnerabilities note. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.