Bug 490201 (CVE-2008-5519) - CVE-2008-5519 mod_jk: session information leak
Summary: CVE-2008-5519 mod_jk: session information leak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-5519
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: reported=20090305,public=20081028,sou...
Depends On: 493986 493987 493988 493992 493993 500423 500456
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-03-13 19:21 UTC by Vincent Danen
Modified: 2019-06-08 12:43 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-26 15:19:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:0446 normal SHIPPED_LIVE Important: mod_jk security update 2009-04-23 18:48:47 UTC
Red Hat Product Errata RHSA-2009:1087 normal SHIPPED_LIVE Important: mod_jk security update 2009-06-09 14:31:19 UTC
Red Hat Product Errata RHSA-2009:1618 normal SHIPPED_LIVE Low: mod_jk security update for Red Hat Network Satellite Server 2009-11-30 15:18:40 UTC

Description Vincent Danen 2009-03-13 19:21:05 UTC
An issue with mod_jk 1.2.26, and possibly older versions, allows one user to see another user's information due to missing logic where faulty clients set Content-Length without providing data, or if a user submits too many times very fast.

The relevant changelog entry in mod_jk 1.2.27 that corrects the issue is:

"AJP13: Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk)"

from http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html

Comment 5 Vincent Danen 2009-04-03 15:21:38 UTC
This issue affects 1.2.0 through to 1.2.26 and is fixed in revision 702540:

http://svn.eu.apache.org/viewvc?view=rev&revision=702540

Comment 9 Vincent Danen 2009-04-07 21:17:53 UTC
This is public now:

http://marc.info/?l=tomcat-dev&m=123913700700879

Comment 10 errata-xmlrpc 2009-04-23 18:48:50 UTC
This issue has been addressed in following products:

  Red Hat Web Application Stack for RHEL 5

Via RHSA-2009:0446 https://rhn.redhat.com/errata/RHSA-2009-0446.html

Comment 13 errata-xmlrpc 2009-06-09 14:31:21 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1087 https://rhn.redhat.com/errata/RHSA-2009-1087.html

Comment 14 errata-xmlrpc 2009-11-30 15:18:43 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1
  Red Hat Network Satellite Server v 5.2

Via RHSA-2009:1618 https://rhn.redhat.com/errata/RHSA-2009-1618.html

Comment 15 Josh Bressers 2011-07-26 14:47:24 UTC
We will not be issuing a fix for this flaw in Red Hat Network Satellite Server v 5.0. That version is only supported for high priority security fixes, which this is not.


Note You need to log in before you can comment on or make changes to this bug.