[SECURITY] CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal

[SECURITY] CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal

The, Apache, Tomcat, Isapi, Connector, Was, Affected, Via, Path, Iis, Security, Application, Later, Use, Measures, Address, Remote, Upgrade, Alternative, Apply, Versions, Mitigationusers

CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversalSeverity: ImportantVendor: The Apache Software FoundationVe


CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42
Description
The IIS/ISAPI specific code that normalised the requested path before
matching it to the URI-worker map did not handle some edge cases
correctly. If only a sub-set of the URLs supported by Tomcat were
exposed via IIS, then it was possible for a specially constructed
request to expose application functionality through the reverse proxy
that was not intended for clients accessing the application via the
reverse proxy.
Mitigation
Users of affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat JK ISAPI Connector 1.2.43 or later.
- Use alternative measures (e.g. the remote address filter) to restrict
access to trusted users.
Credit:
This issue was discovered by Alphan Yavas from Biznet Bilisim A.S. and
reported responsibly to the Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-jk.html

Zdroj: Apache

2018-03-12 13:22:39 2494 669Facebook | Twitter | Google+ | LinkedIn
Web PHP developer Milan Jankovec

<Milan Jankovec> Full Stack Web Developer

Vytváram webové stránky a aplikácie na mieru. Čistý a validný HTML5 kód na každej platforme, moderné animované CSS3 štýly a neuveriteľné JavaScript kúzla. Bezpečný a rýchly PHP kód bez obmedzení s geniálnou architektúrou databáz.

Najčítanejšie články

What's New in MySQL 5.6 Release Candidate

The MySQL 5.6 Release Candidate is an aggregation of the previous MySQL 5.6 Development Milestone Releases (DMR) and provides a true functio... čítať viac

MySQL 5.6: Improvements in Thread Pool

MySQL Thread Pool has now been updated for the MySQL 5.6 version. Obviously, with the much higher concurrency of the MySQL Server in 5.6 its... čítať viac

DBA and Developer Guide to MySQL 5.6

MySQL is the most trusted and depended-on open source database platform in use today. As such, 9 out of the top 10 most popular and highly-t... čítať viac

MySQL Applier for Hadoop

To support the growing emphasis on real-time operations, MySQL is releasing a new MySQL Applier for Hadoop to enable the replication of even... čítať viac

MySQL Cluster 7.3 GA: Increasing Developer Flexibility and Simplicity

The MySQL team at Oracle are excited to announce the immediate availability of the MySQL Cluster 7.3 Development Milestone Release GA releas... čítať viac

MySQL Cluster Auto-Installer: Video Tutorial

Learn how easy it is to deploy a MySQL Cluster database that has been configured to best meet your applications needs within your environmen... čítať viac

MySQL Replication Utilities: Video Tutorial

Learn how to use MySQL 5.6 and the MySQL Utilities to setup, monitor and manage your MySQL replication topology. See how a single command ca... čítať viac

MySQL 5.6 Replication - Enabling the Next Generation of Web & Cloud Services

The new MySQL 5.6.5 Development Milestone Release (DMR) introduces a much anticipated feature - Global Transaction Identifiers (GTIDs) for M... čítať viac

Dnešný výber

Open Graph Tags for ZOO (Joomla)

Joomla extension Open Graph Tags for ZOO (Joomla). Make Your Zoo Powered Joomla Site OG Compatible in a Matter of ClicksAfter activating thi... čítať viac

Cognitive computing, Ubuntu and POWER8

Last week we attended IBM InterConnect 2016, where we showcased Ubuntu OpenStack, MAAS and Juju on IBM Power Systems. There is a natural syn... čítať viac

Aixeena CCK (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Aixeena CCK (Joomla). Aixeena Easy CCK is a Joomla plugin that lets you to... čítať viac

Apache Libcloud 0.14.0

Libcloud is a Python library that abstracts away the differences among multiple cloud provider APIs. It allows users to manage cloud service... čítať viac

Apache Groovy 2.5.0-rc-3 released

Dear community,The Apache Groovy team is pleased to announce version 2.5.0-rc-3 ofApache Groovy.Apache Groovy is a multi... čítať viac

Narvan Rating system for Adsmanager (Joomla)

Je dostupné nové rozšírenie pre redakčný systém Joomla pod názvom Narvan Rating system for Adsmanager (Joomla). this simlple plugin for adsm... čítať viac

IndieUI: Events (for Mobile and More) Updated Working Draft Published

The IndieUI Working Group today published an updated Working Draft of IndieUI: Events 1.0 Events for User Interface Independence. This draft... čítať viac

Apache NiFi MiNiFi C++ 0.3.0 release.

Hello!The Apache NiFi team would like to announce the release of Apache NiFi -MiNiFi C++ 0.3.0.MiNiFi is a subproject of... čítať viac