NA

CVE-2018-11759

Published: 31/10/2018 Updated: 14/11/2018

Vulnerability Summary

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

A vulnerability in the Apache Tomcat JK Connector (mod_jk) could allow an unauthenticated, remote attacker to conduct a path traversal attack on a targeted system.

The vulnerability exists because the Apache Web Server (httpd) code that normalizes a request path before matching it to the URI-worker map improperly handles certain edge cases. An attacker could exploit this vulnerability by sending a request that submits malicious input to an affected system. A successful exploit could allow the attacker to read application functionality through a reverse proxy. In addition, an exploit could allow the attacker to bypass access control restrictions that are configured in httpd.

Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Mitigation

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators are advised to monitor affected systems.

Exploitation

To exploit this vulnerability, the attacker must send a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Github Repositories

CVE-2018-11759 Proof of concept Description The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially construc

References