Discussion:
CVE-2018-11759 vulnerability checking
GNK G
2018-11-22 16:19:40 UTC
Permalink
Hello Team,

According to the below link, we can check the vulnerability using "status"
worker

https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/

I am able to simulate the issue using the above method.

But it is specific only to "status" worker.

Does that mean, the issue is only specific to "status" worker, if we don't
use it, is it not vulnerable.

I am trying the same method in other URL (by appending ;) in our server, it
is always going for authentication. So can I assume, it does not affect
other part in our server.

Could some one please provide input on this?

Thanks,,
Navanee
Mark Thomas
2018-11-22 17:20:28 UTC
Permalink
Post by GNK G
Hello Team,
According to the below link, we can check the vulnerability using "status"
worker
https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/
I am able to simulate the issue using the above method.
But it is specific only to "status" worker.
Does that mean, the issue is only specific to "status" worker, if we don't
use it, is it not vulnerable.
No. The vulnerability is not specific to the status worker.
Post by GNK G
I am trying the same method in other URL (by appending ;) in our server, it
is always going for authentication. So can I assume, it does not affect
other part in our server.
No. Whether or not you are vulnerable will depend on multiple factors.

If you are applying access controls in httpd to a subset of the URLs served by Tomcat or if Tomcat serves only a subset of the URLs accessible through httpd then you are probably vulnerable.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org
GNK G
2018-11-23 06:56:24 UTC
Permalink
Thanks Mark.. Got clarified
Post by GNK G
Post by GNK G
Hello Team,
According to the below link, we can check the vulnerability using "status"
worker
https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/
Post by GNK G
I am able to simulate the issue using the above method.
But it is specific only to "status" worker.
Does that mean, the issue is only specific to "status" worker, if we don't
use it, is it not vulnerable.
No. The vulnerability is not specific to the status worker.
Post by GNK G
I am trying the same method in other URL (by appending ;) in our server, it
is always going for authentication. So can I assume, it does not affect
other part in our server.
No. Whether or not you are vulnerable will depend on multiple factors.
If you are applying access controls in httpd to a subset of the URLs
served by Tomcat or if Tomcat serves only a subset of the URLs accessible
through httpd then you are probably vulnerable.
Mark
---------------------------------------------------------------------
Loading...