Headline
Red Hat Security Advisory 2024-2387-03
Red Hat Security Advisory 2024-2387-03 - An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9. Issues addressed include cross site scripting and information leakage vulnerabilities.
The following advisory data is extracted from:
https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_2387.json
Red Hat officially shut down their mailing list notifications October 10, 2023. Due to this, Packet Storm has recreated the below data as a reference point to raise awareness. It must be noted that due to an inability to easily track revision updates without crawling Red Hat’s archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.
- Packet Storm Staff
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: mod_jk and mod_proxy_cluster security update
Advisory ID: RHSA-2024:2387-03
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2024:2387
Issue date: 2024-04-30
Revision: 03
CVE Names: CVE-2023-6710
====================================================================
Summary:
An update for mod_jk and mod_proxy_cluster is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description:
The mod_jk module is a plugin for the Apache HTTP Server to connect it with the Apache Tomcat servlet engine.
The mod_proxy_cluster module is a plugin for the Apache HTTP Server that provides load-balancer functionality.
Security Fix(es):
httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure (CVE-2023-41081)
mod_cluster/mod_proxy_cluster: Stored Cross site Scripting (CVE-2023-6710)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.4 Release Notes linked from the References section.
Solution:
https://access.redhat.com/articles/11258
CVEs:
CVE-2023-6710
References:
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.4_release_notes/index
https://bugzilla.redhat.com/show_bug.cgi?id=2238847
https://bugzilla.redhat.com/show_bug.cgi?id=2254128
https://issues.redhat.com/browse/RHEL-27497
https://issues.redhat.com/browse/RHEL-27511
Related news
Ubuntu Security Notice 6826-1 - Karl von Randow discovered that mod_jk was vulnerable to an authentication bypass. If the configuration did not provide explicit mounts for all possible proxied requests, an attacker could possibly use this vulnerability to bypass security constraints configured in httpd.
Apache mod_proxy_cluster suffers from a cross site scripting vulnerability.
Red Hat Security Advisory 2024-1317-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include buffer overflow, cross site scripting, information leakage, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-1316-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 is now available. Issues addressed include cross site scripting, information leakage, and out of bounds read vulnerabilities.
A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. The impact of this vulnerability is considered as Low, as the cluster_manager URL should not be exposed outside and is protected by user/password.
Red Hat Security Advisory 2023-7626-03 - Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2 is now available. Issues addressed include buffer overflow, denial of service, information leakage, and integer overflow vulnerabilities.
Red Hat Security Advisory 2023-7625-03 - An update is now available for Red Hat JBoss Core Services. Issues addressed include buffer overflow, denial of service, and information leakage vulnerabilities.
The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue.