Bug 490201 (CVE-2008-5519)

Summary: CVE-2008-5519 mod_jk: session information leak
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bressers, cperry, jorton, mjc, mturk, mvecera, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-26 15:19:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 493986, 493987, 493988, 493992, 493993, 500423, 500456    
Bug Blocks:    

Description Vincent Danen 2009-03-13 19:21:05 UTC 
An issue with mod_jk 1.2.26, and possibly older versions, allows one user to see another user's information due to missing logic where faulty clients set Content-Length without providing data, or if a user submits too many times very fast.

The relevant changelog entry in mod_jk 1.2.27 that corrects the issue is:

"AJP13: Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk)"

from http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
Comment 5 Vincent Danen 2009-04-03 15:21:38 UTC 
This issue affects 1.2.0 through to 1.2.26 and is fixed in revision 702540:

http://svn.eu.apache.org/viewvc?view=rev&revision=702540
Comment 9 Vincent Danen 2009-04-07 21:17:53 UTC 
This is public now:

http://marc.info/?l=tomcat-dev&m=123913700700879
Comment 10 errata-xmlrpc 2009-04-23 18:48:50 UTC 
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0446 https://rhn.redhat.com/errata/RHSA-2009-0446.html
Comment 13 errata-xmlrpc 2009-06-09 14:31:21 UTC 
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1087 https://rhn.redhat.com/errata/RHSA-2009-1087.html
Comment 14 errata-xmlrpc 2009-11-30 15:18:43 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1
  Red Hat Network Satellite Server v 5.2

Via RHSA-2009:1618 https://rhn.redhat.com/errata/RHSA-2009-1618.html
Comment 15 Josh Bressers 2011-07-26 14:47:24 UTC 
We will not be issuing a fix for this flaw in Red Hat Network Satellite Server v 5.0. That version is only supported for high priority security fixes, which this is not.