The ISAPI redirector code in Apache Tomcat JK Connector before version 1.2.43 does not properly handle HTTP request paths in certain edge cases. A remote attacker could exploit this by sending a crafted request to expose application functionality through the reverse proxy. External References: http://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43 Upstream Patch: http://svn.apache.org/viewvc?view=revision&revision=1825658
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2018:1843 https://access.redhat.com/errata/RHSA-2018:1843