CVE-2018-11759: Apache mod_jk Access Control Bypass Vulnerability

Recently, Apache Tomcat officially released the mod_jk access control bypass vulnerability (CVE-2018-11759) security notice, the current PoC has been made public, please pay attention to relevant users, take timely preventive measures.

Apache Tomcat JK (mod_jk) Connector is a module that provides back-end Tomcat for Apache or IIS. It supports clustering and load balancing. This vulnerability (CVE-2018-11759) is similar to CVE-2018-1323 in that the Apache Tomcat web server (httpd) is used to specify the code for the request path, matching the URI-Worker mapping in the Apache Tomcat JK (mod_jk) connector. Previously, some edge cases (such as filtering “;”) were not handled correctly. An attacker could exploit this vulnerability to construct access control bypasses by constructing malicious requests.

Affected version:

  • Apache Tomcat JK mod_jk Connector 1.2.0 to 1.2.44

Unaffected version

  • Apache Tomcat JK mod_jk Connector 1.2.46

Solution

The Apache official has released a new version to fix the vulnerability. Please update the affected users to 1.2.46 or later to form a long-term effective protection against this vulnerability.

Users need to go to the official website to download the latest version of the source code to compile and install the latest version