Bug 490201 - (CVE-2008-5519) CVE-2008-5519 mod_jk: session information leak
CVE-2008-5519 mod_jk: session information leak
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
reported=20090305,public=20081028,sou...
: Security
Depends On: 493986 493987 493988 493992 493993 500423 500456
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-13 15:21 EDT by Vincent Danen
Modified: 2013-01-10 21:19 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-26 11:19:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-03-13 15:21:05 EDT
An issue with mod_jk 1.2.26, and possibly older versions, allows one user to see another user's information due to missing logic where faulty clients set Content-Length without providing data, or if a user submits too many times very fast.

The relevant changelog entry in mod_jk 1.2.27 that corrects the issue is:

"AJP13: Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk)"

from http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
Comment 5 Vincent Danen 2009-04-03 11:21:38 EDT
This issue affects 1.2.0 through to 1.2.26 and is fixed in revision 702540:

http://svn.eu.apache.org/viewvc?view=rev&revision=702540
Comment 9 Vincent Danen 2009-04-07 17:17:53 EDT
This is public now:

http://marc.info/?l=tomcat-dev&m=123913700700879
Comment 10 errata-xmlrpc 2009-04-23 14:48:50 EDT
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0446 https://rhn.redhat.com/errata/RHSA-2009-0446.html
Comment 13 errata-xmlrpc 2009-06-09 10:31:21 EDT
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1087 https://rhn.redhat.com/errata/RHSA-2009-1087.html
Comment 14 errata-xmlrpc 2009-11-30 10:18:43 EST
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1
  Red Hat Network Satellite Server v 5.2

Via RHSA-2009:1618 https://rhn.redhat.com/errata/RHSA-2009-1618.html
Comment 15 Josh Bressers 2011-07-26 10:47:24 EDT
We will not be issuing a fix for this flaw in Red Hat Network Satellite Server v 5.0. That version is only supported for high priority security fixes, which this is not.

Note You need to log in before you can comment on or make changes to this bug.