Description

The JK status manager is an administration interface for mod_jk.

Due to discrepancies between the specifications of httpd and Tomcat for path resolution, Apache mod_jk Connector 1.2.0 to 1.2.44 access controls to endpoints defined by a JkMount httpd directive can be bypassed.

Notably, if a read-only JK status manager interface is available, it is possible to disclose the internal routes of AJP services served by mod_jk.

Furthermore, if a read-write JK status manager interface is available, it is possible to hijack or shutdown all traffic traversing mod_jk by altering the configuration of AJP workers, or to conduct internal port scanning.

Remediation

A patch is available for mod_jk (version 1.2.46).
Other mitigations include the use of Location values such as /jkstatus*, which seems to fix the issue.

References

Apache mod_jk access control bypass

Patch

Related Vulnerabilities

WordPress Server-Side Request Forgery (3.7 - 6.1.1)

WordPress 4.8.x Denial of Service Vulnerability (4.8 - 4.8.5)

Joomla! Core Denial of Service (2.5.0 - 3.9.27)

WordPress Plugin jRSS Widget Server-Side Request Forgery (1.2)

Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496/CVE-2023-49070)

Severity

Medium

Classification

CVE-2018-11759 CWE-918 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Denial Of Service SSRF