Vigil@nce: Apache Tomcat, information disclosure via mod_jk
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
In some cases, the mod_jk module can send to the client data
belonging to another user.
Severity: 2/4
Consequences: data reading
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 08/04/2009
IMPACTED PRODUCTS
– Apache Tomcat
DESCRIPTION OF THE VULNERABILITY
The mod_jk module is the interface between the Apache Tomcat
server and the web server.
An AJP (Apache JServ Protocol) request is composed of:
– an header
– a body ("POST") if the Content-Length header was used
However, if the client uses a Content-Length header with no body
(or if requests are too fast), the mod_jk module desynchronizes.
Data belonging to another user can thus be returned to the client.
In some cases, the mod_jk module can therefore send to the client
data belonging to another user.
CHARACTERISTICS
Identifiers: BID-34412, CVE-2008-5519, VIGILANCE-VUL-8609
http://vigilance.fr/vulnerability/Apache-Tomcat-information-disclosure-via-mod-jk-8609