Bug 927845 - (CVE-2014-8111) VUL-1: CVE-2014-8111: apache2-mod_jk: Tomcat mod_jk information leak due to incorrect JkMount/JkUnmount directives processing
(CVE-2014-8111)
VUL-1: CVE-2014-8111: apache2-mod_jk: Tomcat mod_jk information leak due to i...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/115808/
CVSSv2:NVD:CVE-2014-8111:5.0:(AV:N/AC...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-04-20 12:58 UTC by Andreas Stieger
Modified: 2020-04-24 14:22 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
upstream patch (21.18 KB, patch)
2015-04-20 12:58 UTC, Andreas Stieger
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-20 12:58:04 UTC
Via RH:

A vulnerability has been found in the mod_jk connector relating to the use of JkMount and JkUnmount.

A JkUnmount rule for a subtree of a previous JkMount rule could be ignored. This could allow a remote attacker to potentially access a private artifact in a directory tree that would otherwise not be accessible to them.

If you use a mount rule like

JkMount /a/b/* myworker

Then 

JkUnmount /a/b/private/* myworker

Artifacts in the private folder would still be accessible.

This vulnerability affected all versions of mod_jk.



Patch: http://svn.apache.org/viewvc?view=revision&revision=1647017 and attached.


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1182591
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8111
https://rhn.redhat.com/errata/RHSA-2015-0848.html
https://rhn.redhat.com/errata/RHSA-2015-0846.html
https://rhn.redhat.com/errata/RHSA-2015-0849.html
https://rhn.redhat.com/errata/RHSA-2015-0847.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8111
Comment 1 Andreas Stieger 2015-04-20 12:58:52 UTC
Created attachment 631642 [details]
upstream patch
Comment 3 Swamp Workflow Management 2015-04-20 22:02:03 UTC
bugbot adjusting priority
Comment 5 Tomáš Chvátal 2015-06-04 12:01:07 UTC
Sent to Factory, rest can be done when requested.
Comment 6 Bernhard Wiedemann 2015-06-09 13:00:10 UTC
This is an autogenerated message for OBS integration:
This bug (927845) was mentioned in
https://build.opensuse.org/request/show/311304 Factory / apache2-mod_jk
Comment 7 Marcus Meissner 2015-10-02 07:10:07 UTC
can you submit for SLE12 ? we are doing a apache2-mod_jk update to handle the mpm situation

also SUSE:SLE-12-SP1:GA does notg have the fix, but a forked apache2-mod_jk.
Comment 8 Tomáš Chvátal 2015-10-05 10:56:36 UTC
(In reply to Marcus Meissner from comment #7)
> can you submit for SLE12 ? we are doing a apache2-mod_jk update to handle
> the mpm situation
> 
> also SUSE:SLE-12-SP1:GA does notg have the fix, but a forked apache2-mod_jk.

SLE12Update and SP1GA both done. Do you want it for SLE11SP4 too?
Comment 10 Marcus Meissner 2015-10-05 14:13:29 UTC
11-sp4 not at this time.
Comment 11 Swamp Workflow Management 2015-10-30 16:11:37 UTC
SUSE-SU-2015:1851-1: An update that solves four vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 444878,869790,911159,915666,927845,930228,931002,931723,938723,938728,939516,949766,949771
CVE References: CVE-2014-8111,CVE-2015-3183,CVE-2015-3185,CVE-2015-4000
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    apache2-2.4.10-14.10.1
SUSE Linux Enterprise Server 12 (src):    apache2-2.4.10-14.10.1, apache2-mod_auth_kerb-5.4-2.4.1, apache2-mod_jk-1.2.40-2.6.1, apache2-mod_security2-2.8.0-3.4.1
SUSE Enterprise Storage 1.0 (src):    apache2-mod_fastcgi-2.4.7-3.4.1
Comment 12 Petr Gajdos 2016-04-19 07:39:50 UTC
Submitted also to 11sp4, reassigning to security team.
Comment 18 Swamp Workflow Management 2018-12-03 20:14:05 UTC
SUSE-SU-2018:3970-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1114612,927845
CVE References: CVE-2014-8111,CVE-2018-11759
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    apache2-mod_jk-1.2.40-0.2.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    apache2-mod_jk-1.2.40-0.2.5.1
Comment 19 Alexandros Toptsoglou 2020-04-24 14:22:19 UTC
Done