mod_jk-1.2.49-1.el9, mod_proxy_cluster-1.3.20-1.el9

エラータID: AXSA:2024-7930:01

Release date: 
Thursday, May 30, 2024 - 13:36
Subject: 
mod_jk-1.2.49-1.el9, mod_proxy_cluster-1.3.20-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
Moderate
Description: 

The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.

The mod_proxy_cluster module is a plugin for the Apache HTTP Server that provides load-balancer functionality.

Security Fix(es):

* httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)
* mod_cluster/mod_proxy_cluster: Stored Cross site Scripting (CVE-2023-6710)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.4 Release Notes linked from the References section.

CVE-2023-41081
Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary
CVE-2023-6710
A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.

Solution: 

Update packages.

CVEs: 
CVE-2023-41081
Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary
CVE-2023-6710
A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.
Additional Info: 

N/A

Download: 

SRPMS
  1. mod_jk-1.2.49-1.el9.src.rpm
    MD5: d981fea5ea919fbe1d28eeccf3234079
    SHA-256: cf0827ee525d0e6e30ec2e1c31be9fe7cf9503cf100f4513cbae153ebbe8b606
    Size: 1.03 MB
  2. mod_proxy_cluster-1.3.20-1.el9.src.rpm
    MD5: e1cf000030a2874dfccc14fb389861e0
    SHA-256: ba1c6468338ffb960e7e6afbf764e4df25e5b570cb623cb9abc109e57b6c5880
    Size: 485.64 kB

Asianux Server 9 for x86_64
  1. mod_jk-1.2.49-1.el9.x86_64.rpm
    MD5: 0ce6cf389d076f4fe131b03b4a12ae3f
    SHA-256: 27db203740a9b1072ee039977ced59828d8bab0d102520c4f0817ae1bc61b386
    Size: 189.75 kB
  2. mod_proxy_cluster-1.3.20-1.el9.x86_64.rpm
    MD5: ad808a9e569e2e8bffedd1384c8b6aa8
    SHA-256: eeb79c0f48d15a3f97172fb6f44322f219320ce2d8fe08bc591240f10f7667da
    Size: 94.04 kB