Apache mod_jk Access Control Bypass Vulnerability (CVE-2018-11759) Threat Alert

Apache mod_jk Access Control Bypass Vulnerability (CVE-2018-11759) Threat Alert

November 10, 2018 | Adeline Zhang

Vulnerability Overview

Recently, Apache Software Foundation (ASF) released a security advisory to announce the fix for an access control bypass vulnerability (CVE-2018-11759) in the mod_jk module in Apache Tomcat. Currently, the proof of concept (PoC) has been announced for this vulnerability. Users of this software should take precautions to fix this vulnerability as soon as possible.

Apache Tomcat JK (mod_jk) Connector is a module used to connect Tomcat to Apache or IIS. Like the one assigned CVE-2018-1323, this vulnerability (CVE-2018-11759) exists because Apache Tomcat Web Server (HTTPD)’s code which is used to normalize the requested path fails to properly handle edge cases (for example, filtering out the semicolon (;)) before mapping it to the URI-work map in Apache Tomcat JK (mod_jk) Connector. An attacker could exploit this vulnerability to bypass the intended access control via a maliciously constructed request.

Reference link: https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad@%3Cannounce.tomcat.apache.org%3E

  • Scope of Impact

Affected Version

  • Apache Group Tomcat JK (mod_jk) Connector 1.2.0-1.2.44

Unaffected Version

  • Apache Group Tomcat JK (mod_jk) Connector 1.2.46
  • Vulnerability Check
    • Version Check

Users can determine whether their current software version is vulnerable by running the following command to check the mod_jk.so file.

  • Check via PoC

Also, users can implement the PoC of this vulnerability to check whether their current module is vulnerable. Here takes 127.0.0.1 as an example. As shown in the following figure, complete the following configurations in the configuration file httpd.conf to restrict the access to 127.0.0.1.

When localhost/jkstatus (localhost indicates 127.0.0.1) is accessed from a local address, a message will be displayed, saying that the access is rejected.

Appending a semicolon (;) to the preceding URL can bypass the access restriction. If the following page appears, the current mod_jk is vulnerable.

Vulnerability Protection

Official Upgrade

ASF has released new versions to fix this vulnerability. Affected users should upgrade their application to V1.2.46 or later as soon as possible for effective protection.

Users need to download the latest source code from the following link for compilation and installation:

https://archive.apache.org/dist/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.46-src.zip

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory.

NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

Home

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.