Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1182591 - (CVE-2014-8111) CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmount directives processing
CVE-2014-8111 Tomcat mod_jk: information leak due to incorrect JkMount/JkUnmo...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150414,repor...
: Security
Depends On: 1235900 1188999 1189001 1189002
Blocks: 1183003 1212496 1254231
  Show dependency treegraph
 
Reported: 2015-01-15 09:05 EST by Vasyl Kaigorodov
Modified: 2018-01-30 07:24 EST (History)
23 users (show)

See Also:
Fixed In Version: Apache Tomcat JK Connector 1.2.41
Doc Type: Bug Fix
Doc Text:
It was discovered that a JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a tree that would otherwise not be accessible to them.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0846 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:17:12 EDT
Red Hat Product Errata RHSA-2015:0847 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:13:53 EDT
Red Hat Product Errata RHSA-2015:0848 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 16:26:01 EDT
Red Hat Product Errata RHSA-2015:0849 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update 2015-04-16 15:39:06 EDT
Red Hat Product Errata RHSA-2015:1641 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 security update 2015-08-18 18:48:48 EDT
Red Hat Product Errata RHSA-2015:1642 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.0 security update 2015-08-18 18:51:12 EDT

  None (edit)
Description Vasyl Kaigorodov 2015-01-15 09:05:47 EST 
A vulnerability has been found in the mod_jk connector relating to the use of JkMount and JkUnmount.

A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a directory tree that would otherwise not be accessible to them.

If you use a mount rule like

JkMount /a/b/* myworker

Then 

JkUnmount /a/b/private/* myworker

Artifacts in the private folder would still be accessible.

This vulnerability affected all versions of mod_jk.
Comment 2 Timothy Walsh 2015-02-04 03:23:52 EST 
Statement:

Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates of Red Hat Enterprise Application Platform 4 and 5, and Red Hat JBoss Web Server 1. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/ and Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/.

This issue did not affect Red Hat JBoss Web Server 3.x. This issue does affect Red Hat JBoss Web Server 2.x; a future update may address this issue.
Comment 6 Timothy Walsh 2015-04-16 08:33:56 EDT 
Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1647017
Comment 7 errata-xmlrpc 2015-04-16 11:39:27 EDT 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4.0

Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
Comment 8 errata-xmlrpc 2015-04-16 12:28:54 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
Comment 9 errata-xmlrpc 2015-04-16 12:31:42 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 5

Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
Comment 10 errata-xmlrpc 2015-04-16 12:33:46 EDT 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
Comment 17 errata-xmlrpc 2015-08-18 14:48:55 EDT 
This issue has been addressed in the following products:

  JBoss Web Server 2.1.0

Via RHSA-2015:1641 https://rhn.redhat.com/errata/RHSA-2015-1641.html
Comment 19 errata-xmlrpc 2015-08-18 14:51:20 EDT 
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 5

Via RHSA-2015:1642 https://rhn.redhat.com/errata/RHSA-2015-1642.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.