| VID |
22186 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache Tomcat mod_jk module, according to its banner, is vulnerable to a denial of service attack.
Apache Webserver and Tomcat are HTTP servers maintained and distributed by the Apache project. These servers are available for the Unix, Linux, and Microsoft Windows platforms. A denial of service vulnerability exists in Apache Webserver and Tomcat when mod_jk 1.2 is used.
The mod_jk Apache Module is a "bridge" between the Apache Web Server and the Jakarta Tomcat Server. "Normal" web requests over port 80 are handled by Apache and then Java Servlet and JSP requests are forwarded along to the right place tomcat. It supports several protocols, in particular the Apache Jserv Protocol 1.3 (AJP13).
This vulnerability arises due to design problems in the module, allows a remote attacker to desynchronize between Apache and Tomcat communication by submitting malicious chunked encoding requests to the Apache web server as the following:
GET /index.jsp HTTP/1.1
Host: X.X.X.X
Transfer-Encoding: Chunked
53636f7474
By sending multiple HTTP GET requests for the index.jsp file that use invalid chunked transfer encoding, a remote attacker could overflow a network buffer, which would cause the server to be useless until either Apache or Tomcat are restarted using several malicious requests.
* Note: This check item solely relied on the banner of the Apache mod_jk module to assess this vulnerability, so this might be a false positive.
* References:
http://www.securiteam.com/unixfocus/6A0061F6AQ.html
* Affected Platforms:
Apache Software Foundation Apache 1.3
Apache Software Foundation Apache 1.3.11/12/14
Apache Software Foundation Apache 1.3.17 - 1.3.20
Apache Software Foundation Apache 1.3.22 - 1.3.27
Apache Software Foundation mod_jk 1.2
Apache Software Foundation Tomcat 4.0
Apache Software Foundation Tomcat 4.0.1 - 4.0.5
Apache Software Foundation Tomcat 4.1
Apache Software Foundation Tomcat 4.1.10/12
Linux Any version
Unix Any version
Windows Any version |
| Recommendation |
Upgrade to the fixed version mod_jk 1.2.1 from the Jakarta Web site, http://jakarta.apache.org/builds/jakarta-tomcat-connectors/jk/release/v1.2.1/ |
| Related URL |
(CVE) |
| Related URL |
6320 (SecurityFocus) |
| Related URL |
10771 (ISS) |
|
