SPS apache vulnerability

book

Article ID: 125268

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Affected Versions: 
Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 

QID Detection Logic (Unauthenticated): 
It sends a GET request to serverIP/jkstatus; to check if target is vulnerable."

Impact:
This vulnerability can be exploited to bypass certain access restrictions which can allow disclosure of sensitive information of the system.

Solution:
"The vendor has advised to upgrade to Apache Tomcat JK ISAPI Connector to version 1.2.46 or later, which is available for download from Apache Tomcat jk connector (https://tomcat.apache.org/download-connectors.cgi) Web site. Workaround: The vendor has advised to use alternative measures (e.g. the remote address filter) to restrict access to trusted users. For more information please visit here (https://lists.apache.org/thread.html/[email protected]%3Cannounce.tomcat.apache.org%3E).
 Patch: 
Following are links for downloading patches to fix the vulnerabilities:
  Apache Tomcat JK (http://tomcat.apache.org/security-jk.html)"

We have conducted vulnerability scanning and found following vulnerability exists for SPS (version 12.52 SP1 CR06). Would like to confirm if this is a vulnerability of SPS and any fix on it? Thanks. CVE-2018-11759 Apache Tomcat JK Web Server Connector Path Traversal Information Disclosure Vulnerability Threat: "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. It is vulnerable only if jkstatus is present with specific configurations in the server. Affected Versions: Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 QID Detection Logic (Unauthenticated): It sends a GET request to serverIP/jkstatus; to check if target is vulnerable." Impact: This vulnerability can be exploited to bypass certain access restrictions which can allow disclosure of sensitive information of the system. Solution: "The vendor has advised to upgrade to Apache Tomcat JK ISAPI Connector to version 1.2.46 or later, which is available for download from Apache Tomcat jk connector (https://tomcat.apache.org/download-connectors.cgi) Web site. Workaround: The vendor has advised to use alternative measures (e.g. the remote address filter) to restrict access to trusted users. For more information please visit here (https://lists.apache.org/thread.html/[email protected]%3Cannounce.tomcat.apache.org%3E). Patch: Following are links for downloading patches to fix the vulnerabilities: Apache Tomcat JK (http://tomcat.apache.org/security-jk.html)"

Environment

* 12.52 SP1 CR6: 
- Apache 2.4.23 

* 12.8 SP1 
- Apache 2.4.29 

* 12.52 SP1 CR9 
- Apache 2.4.33 

Resolution

Please contact support for detail of two options to get newer version of apache or mod_jk.so
(Refer. DE396882)

#1. mod_jk.so version 1.2.46: (for 12.52 SP1 CR09) 

Please backup the exiting mod_jk.so on your system and replace with the above. 

#2. Engineering provided New Apache version 2.4.33. (for 12.52 SP1 CR06)