• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Apache Tomcat JK Connector Double Encoding Security Bypass Vulnerability

Severity: MODERATE

Description:

Apache Tomcat is the servlet container used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies.

Apache HTTP server running with the Tomcat JK Web Server Connector is prone to a security-bypass vulnerability because it decodes request URLs multiple times.

Specifically, 'mod_jk' will first decode a request URL inside the Apache 'httpd' program. It will then send this URL to Tomcat, which subsequently performs a second decoding. Request URLs are iteratively decoded multiple times by multiple components, which is a design flaw that could allow attackers to bypass access controls. An attacker could pass a double encoded '..' in a request URL to bypass frontend security restrictions and gain access to normally restricted pages in the Tomcat backend.

The Apache Foundation reports that this issue is related to an insufficient patch for BID 22960 Apache HTTP Server Tomcat Directory Traversal Vulnerability and CVE-2007-0450.

Exploiting this issue allows attackers to access restricted files in the Tomcat web directory. This can expose sensitive information that could help attackers launch further attacks.

This issue is present in versions prior to Apache Tomcat JK Connector 1.2.23.

Affected Products:

• Apache Software Foundation Tomcat JK Web Server Connector 1.2.21
• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.10
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.10
• Avaya Integrated Management 4.0
• Avaya Integrated Management 5.0
• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 amd64
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 m68k
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• Gentoo Linux
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• HP HP-UX B.11.31
• Linux kernel 2.4.19
• Linux kernel 2.4.21
• Linux kernel 2.6.5
• RedHat Application Stack v1 for Enterprise Linux AS 4
• RedHat Application Stack v1 for Enterprise Linux ES 4
• RedHat Enterprise Linux AS 2.1
• RedHat Enterprise Linux AS 2.1 IA64
• RedHat Enterprise Linux AS 3
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 2.1
• RedHat Enterprise Linux ES 2.1 IA64
• RedHat Enterprise Linux ES 3
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 2.1
• RedHat Enterprise Linux WS 2.1 IA64
• RedHat Enterprise Linux WS 3
• RedHat Enterprise Linux WS 4
• RedHat Red Hat Network Satellite Server 5.0.0
• S.u.S.E. Linux 10.0 ppc
• S.u.S.E. Linux 10.0 x86
• S.u.S.E. Linux 10.0 x86-64
• S.u.S.E. Linux 10.1 ppc
• S.u.S.E. Linux 10.1 x86
• S.u.S.E. Linux 10.1 x86-64
• S.u.S.E. Linux Desktop 1.0.0
• S.u.S.E. Linux Desktop 10
• S.u.S.E. Linux Enterprise SDK 10
• S.u.S.E. Linux Enterprise SDK 10 SP1
• S.u.S.E. Linux Enterprise Server 10
• S.u.S.E. Linux Enterprise Server 10.SP1
• S.u.S.E. Linux Enterprise Server 8
• S.u.S.E. Linux Enterprise Server 9
• S.u.S.E. Linux Office Server
• S.u.S.E. Linux Openexchange Server
• S.u.S.E. Linux Personal 10.0.0 OSS
• S.u.S.E. Linux Personal 10.1
• S.u.S.E. Linux Personal 10.2
• S.u.S.E. Linux Personal 10.2 x86_64
• S.u.S.E. Linux Professional 10.0.0
• S.u.S.E. Linux Professional 10.0.0 OSS
• S.u.S.E. Linux Professional 10.1
• S.u.S.E. Linux Professional 10.2
• S.u.S.E. Linux Professional 10.2 x86_64
• S.u.S.E. Novell Linux Desktop 1.0.0
• S.u.S.E. Novell Linux Desktop 9
• S.u.S.E. Novell Linux Desktop 9.0.0
• S.u.S.E. Novell Linux Desktop SDK 9.0.0
• S.u.S.E. Novell Linux POS 9
• S.u.S.E. Office Server
• S.u.S.E. Open-Enterprise-Server
• S.u.S.E. Open-Enterprise-Server 1
• S.u.S.E. Open-Enterprise-Server 9.0.0
• S.u.S.E. SLE SDK 10
• S.u.S.E. SLE SDK 10.SP1
• S.u.S.E. SUSE LINUX Retail Solution 8.0.0
• S.u.S.E. SUSE Linux Enterprise 10 SP1 DEBUGINFO
• S.u.S.E. SUSE Linux Enterprise 10 SP1 DEBUGINFO
• S.u.S.E. SUSE Linux Enterprise Desktop 10
• S.u.S.E. SUSE Linux Enterprise Desktop 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 10
• S.u.S.E. SUSE Linux Enterprise Server 10 SP1
• S.u.S.E. SUSE Linux Enterprise Server 9 SP3
• S.u.S.E. SuSE Linux Open-Xchange 4.1.0
• S.u.S.E. SuSE Linux Openexchange Server 4.0.0
• S.u.S.E. SuSE Linux School Server for i386
• S.u.S.E. SuSE Linux Standard Server 8.0.0
• S.u.S.E. UnitedLinux 1.0.0
• S.u.S.E. openSUSE 10.1
• S.u.S.E. openSUSE 10.2
• S.u.S.E. openSUSE 10.3

References:

• Apache: Apache Tomcat Homepage
• Apache Software Foundation: Apache Tomcat Connector Homepage
• Apache Software Foundation: Fixed in Apache Tomcat JK Connector 1.2.23
• Avaya: ASA-2008-054 mod_jk vulnerability may lead to information disclosure
• CVE: CVE-2007-0450
• Red Hat: RHSA-2008:0261-4 Moderate: Red Hat Network Satellite Server security update
• RedHat: RHSA-2007:0379-4 - mod_jk security update
• RedHat: RHSA-2007:0380-01 - mod_jk security update

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.