Bugzilla – Bug 927845
VUL-1: CVE-2014-8111: apache2-mod_jk: Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount directives processing
Last modified: 2020-04-24 14:22:19 UTC
Via RH: A vulnerability has been found in the mod_jk connector relating to the use of JkMount and JkUnmount. A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a directory tree that would otherwise not be accessible to them. If you use a mount rule like JkMount /a/b/* myworker Then JkUnmount /a/b/private/* myworker Artifacts in the private folder would still be accessible. This vulnerability affected all versions of mod_jk. Patch: http://svn.apache.org/viewvc?view=revision&revision=1647017 and attached. References: https://bugzilla.redhat.com/show_bug.cgi?id=1182591 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8111 https://rhn.redhat.com/errata/RHSA-2015-0848.html https://rhn.redhat.com/errata/RHSA-2015-0846.html https://rhn.redhat.com/errata/RHSA-2015-0849.html https://rhn.redhat.com/errata/RHSA-2015-0847.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
Created attachment 631642 [details] upstream patch
bugbot adjusting priority
Sent to Factory, rest can be done when requested.
This is an autogenerated message for OBS integration: This bug (927845) was mentioned in https://build.opensuse.org/request/show/311304 Factory / apache2-mod_jk
can you submit for SLE12 ? we are doing a apache2-mod_jk update to handle the mpm situation also SUSE:SLE-12-SP1:GA does notg have the fix, but a forked apache2-mod_jk.
(In reply to Marcus Meissner from comment #7) > can you submit for SLE12 ? we are doing a apache2-mod_jk update to handle > the mpm situation > > also SUSE:SLE-12-SP1:GA does notg have the fix, but a forked apache2-mod_jk. SLE12Update and SP1GA both done. Do you want it for SLE11SP4 too?
11-sp4 not at this time.
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available. Category: security (moderate) Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771 CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): apache2-2.4.10-14.10.1 SUSE Linux Enterprise Server 12 (src): apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1 SUSE Enterprise Storage 1.0 (src): apache2-mod_fastcgi-2.4.7-3.4.1
Submitted also to 11sp4, reassigning to security team.
SUSE-SU-2018:3970-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1114612,927845 CVE References: CVE-2014-8111,CVE-2018-11759 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): apache2-mod_jk-1.2.40-0.2.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): apache2-mod_jk-1.2.40-0.2.5.1
Done