Re: libapache-mod-jk: CVE-2014-8111

To: "debian-java@lists.debian.org" <debian-java@lists.debian.org>, team@security.debian.org
Subject: Re: libapache-mod-jk: CVE-2014-8111
From: Markus Koschany <apo@gambaru.de>
Date: Mon, 25 May 2015 17:10:48 +0200
Message-id: <[🔎] 55633B78.3040709@gambaru.de>
Reply-to: "debian-java@lists.debian.org" <debian-java@lists.debian.org>
In-reply-to: <[🔎] 20150525072147.GA10799@eldamar.local>
References: <[🔎] 55625218.1040605@gambaru.de> <[🔎] 20150525072147.GA10799@eldamar.local>

Hello Salvatore,

On 25.05.2015 09:21, Salvatore Bonaccorso wrote:
[...]
>> I think the issue warrants a DSA since it is remotely exploitable
>> although the severity and impact are probably only moderate for most setups.
> 
> Sourcewise the debdiffs looks good to me. But no I'm not really
> familar with the source package. Were the changes sucessfully as well
> tested in some (production) environment?

I know that the same patch was applied to four Red Hat products one
month ago. [1] Building and updating the package works as expected. I am
familiar with the Apache web server but I don't run the Apache + Tomcat
+ mod_jk combination and have no way to test this change in a production
environment. The change will enable a new default option
"CollapseSlashesUnmount". For Debian only the changes in the apache-2.0
module are important but I left the patch intact, who knows what corner
cases exist out there with Apache-1.3 servers. Judging from the patch
the new jk_no2slash function is then responsible for removing adjacent
slashes. I expect that no disruption occurs from applying this change
but more testing and feedback are appreciated.

> To already look ahead: If I see it correctly, wheezy and jessie share
> the same original source, so
> https://wiki.debian.org/DebianSecurity/AdvisoryCreation/SecFull#Stable_and_oldstable_sharing_the_same_upstream_tarball
> will aply, so when we then go ahead, the first upload need to be build
> with -sa, wait to have it accepted on security-master side, and then
> upload the second without including the original source (otherwise
> there are problems when pushing the package to ftp-master from
> security-master).

Please note that I can't upload the package myself, so someone from the
Java or security team is needed for the final upload.

>> It was discovered that a JkUnmount rule for a subtree of a previous
>> JkMount rule could be ignored. This could allow a remote attacker to
>> potentially access a private artifact in a tree that would otherwise not
>> be accessible to them.
> 
> Please add here a introductory description of libapache-mod-jk. E.g.
> "An information disclosure flaw was found in mod_jk, the Tomcat
> Connector module for Apache. [...]" (or any improvement to this).

There isn't much to say about libapache-mod-jk, but let's try this:

An information disclosure flaw due to incorrect JkMount/JkUnmount
directives processing was found in the Apache 2 module mod_jk to forward
requests from the Apache web server to Tomcat. A JkUnmount rule for a
subtree of a previous JkMount rule could be ignored. This could allow a
remote attacker to potentially access a private artifact in a tree that
would otherwise not be accessible to them.

Regards,

Markus


[1] https://bugzilla.redhat.com/show_bug.cgi?id=1182591

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: libapache-mod-jk: CVE-2014-8111
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- libapache-mod-jk: CVE-2014-8111
  - From: Markus Koschany <apo@gambaru.de>
- Re: libapache-mod-jk: CVE-2014-8111
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: libapache-mod-jk: CVE-2014-8111
Next by Date: Re: libapache-mod-jk: CVE-2014-8111
Previous by thread: Re: libapache-mod-jk: CVE-2014-8111
Next by thread: Re: libapache-mod-jk: CVE-2014-8111
Index(es):
- Date
- Thread