Bug 1182591 (CVE-2014-8111)
| Summary: | CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, cdewolf, chazlett, dandread, darran.lofthouse, fnasser, grocha, huwang, jason.greene, jawilson, jboss-set, jclere, jdoyle, lgao, myarboro, pcheung, pslavice, rsvoboda, security-response-team, twalsh, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Apache Tomcat JK Connector 1.2.41 | Doc Type: | Bug Fix |
| Doc Text: |
It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-20 10:49:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1188999, 1189001, 1189002, 1235900 | ||
| Bug Blocks: | 1183003, 1212496, 1254231 | ||
|
Description
Vasyl Kaigorodov
2015-01-15 14:05:47 UTC
Statement: Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Application Platform 4 and 5, and Red Hat JBoss Web Server 1. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/. This issue did not affect Red Hat JBoss Web Server 3.x. This issue does affect Red Hat JBoss Web Server 2.x; a future update may address this issue. Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1647017 This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html This issue has been addressed in the following products: JBoss Web Server 2.1.0 Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html This issue has been addressed in the following products: JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 5 Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html |