CVE-2023-41081: Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request
First published: Wed Sep 13 2023(Updated: )
Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat Connectors | >=1.2.0<1.2.49 | |
| redhat/httpd | <1.2.49 | 1.2.49 |
| ubuntu/libapache-mod-jk | <1:1.2.43-1ubuntu0.1~ | 1:1.2.43-1ubuntu0.1~ |
| ubuntu/libapache-mod-jk | <1:1.2.46-1ubuntu0.1 | 1:1.2.46-1ubuntu0.1 |
| ubuntu/libapache-mod-jk | <1:1.2.48-1ubuntu0.1 | 1:1.2.48-1ubuntu0.1 |
| ubuntu/libapache-mod-jk | <1:1.2.48-2ubuntu0.1 | 1:1.2.48-2ubuntu0.1 |
| ubuntu/libapache-mod-jk | <1.2.49 | 1.2.49 |
| ubuntu/libapache-mod-jk | <1:1.2.41-1ubuntu0.1~ | 1:1.2.41-1ubuntu0.1~ |
| debian/libapache-mod-jk | 1:1.2.48-1+deb11u1 1:1.2.48-2+deb12u1 1:1.2.49-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2023/09/28/7
- https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
- https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html
- https://www.openwall.com/lists/oss-security/2023/09/13/2
- https://access.redhat.com/errata/RHSA-2023:7625
- https://access.redhat.com/errata/RHSA-2023:7626
- https://access.redhat.com/errata/RHSA-2024:2387
- https://bugzilla.redhat.com/show_bug.cgi?id=2238847
- https://launchpad.net/bugs/cve/CVE-2023-41081
- http://www.openwall.com/lists/oss-security/2023/09/13/2
- https://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.49
- https://github.com/apache/tomcat-connectors/commit/0095b6cb84f41313ee4c0364b49c766168790792
- https://security-tracker.debian.org/tracker/CVE-2023-41081
- https://www.cve.org/CVERecord?id=CVE-2023-41081
- https://ubuntu.com/security/notices/USN-6826-1
- https://nvd.nist.gov/vuln/detail/CVE-2023-41081
- https://ubuntu.com/security/CVE-2023-41081
- collector/oss-sec
- alias/CVE-2023-41081
- collector/nvd-index
- agent/type
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/remedy
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- collector/usn-cve
- source/Ubuntu
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/event
- collector/nvd-api
- agent/last-modified-date
- agent/tags
- agent/trending
- vendor/apache
- canonical/apache tomcat connectors
- version/apache tomcat connectors/1.2.0
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian