Bug 1085220 (CVE-2018-1323) - VUL-1: CVE-2018-1323: apache2-mod_jk: isapi_redirect: Mishandled HTTP request paths in jk_isapi_plugin.c can lead to unintended exposure of application resources via the reverse proxy
Summary: VUL-1: CVE-2018-1323: apache2-mod_jk: isapi_redirect: Mishandled HTTP reques...
Status: RESOLVED UPSTREAM
Alias: CVE-2018-1323
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/201678/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-14 07:26 UTC by Marcus Meissner
Modified: 2024-03-28 15:50 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-03-14 07:26:58 UTC 
https://lists.apache.org/thread.html/6e146bce83578bd870893250ba8354e28f9d8e86c674c30dbeee529f@%3Cannounce.tomcat.apache.org%3E


CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42

Description
The IIS/ISAPI specific code that normalised the requested path before
matching it to the URI-worker map did not handle some edge cases
correctly. If only a sub-set of the URLs supported by Tomcat were
exposed via IIS, then it was possible for a specially constructed
request to expose application functionality through the reverse proxy
that was not intended for clients accessing the application via the
reverse proxy.

Mitigation
Users of affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat JK ISAPI Connector 1.2.43 or later.
- Use alternative measures (e.g. the remote address filter) to restrict
  access to trusted users.

Credit:
This issue was discovered by Alphan Yavas from Biznet Bilisim A.S. and
reported responsibly to the Apache Tomcat Security Team.


References:
[1] http://tomcat.apache.org/security-jk.html
Comment 8 Marcus Meissner 2019-06-06 11:46:36 UTC 
windows only - upstream fixed