安全研究
安全漏洞
Apache Tomcat mod_jk Content-Length头信息泄露漏洞
发布日期:2009-04-07
更新日期:2009-04-08
受影响系统:
Apache Group mod_jk 1.2.0 - 1.2.26不受影响系统:
Apache Group mod_jk 1.2.27描述:
BUGTRAQ ID: 34412
CVE(CAN) ID: CVE-2008-5519
Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。
如果恶意客户端向Apache Tomcat服务器的mod_jk模块提交了Content-Length头为空的恶意请求,或在短时间内反复提交相同的请求的话,就可以查看其他用户请求相关的响应。
<*来源:Mark Thomas
链接:http://marc.info/?l=tomcat-dev&m=123913700700879&w=2
http://secunia.com/advisories/34621/
http://www.debian.org/security/2009/dsa-1810
https://www.redhat.com/support/errata/RHSA-2009-0446.html
http://security.gentoo.org/glsa/glsa-200906-04.xml
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-262468-1
https://www.redhat.com/support/errata/RHSA-2009-1618.html
*>
建议:
厂商补丁:
Apache Group
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://httpd.apache.org/
Debian
------
Debian已经为此发布了一个安全公告(DSA-1810-1)以及相应补丁:
DSA-1810-1:New libapache-mod-jk packages fix information
链接:http://www.debian.org/security/2009/dsa-1810
补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.dsc
Size/MD5 checksum: 935 dc3dd860d8c7a2710943903b485b1afa
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2.diff.gz
Size/MD5 checksum: 11556 889ac12a51c93772cefad6af5225f7f7
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18.orig.tar.gz
Size/MD5 checksum: 929823 58e1b9406e0cfe11bd4bc297ba146b4f
Architecture independent packages:
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.18-3etch2_all.deb
Size/MD5 checksum: 118140 04190ed8b2fc8fea1bf98b1b1df14e9b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_alpha.deb
Size/MD5 checksum: 101802 b21ab36fc88cf555f9afe1f181124030
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_alpha.deb
Size/MD5 checksum: 98112 29507ac73774562be5c8824cbbcc9131
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_amd64.deb
Size/MD5 checksum: 97470 5a137194ffad6aca9bdfa2760447d635
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_amd64.deb
Size/MD5 checksum: 93722 8642501f8588c5cf7fc990ccdd23ec4b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_arm.deb
Size/MD5 checksum: 92860 e11d9d8cf00d6aa71a369d99c92b23f4
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_arm.deb
Size/MD5 checksum: 89258 11fbf05bce072618c3f229c2986e23a6
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_hppa.deb
Size/MD5 checksum: 102432 400787b4e1bc663e2a9dc3c0127c4e73
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_hppa.deb
Size/MD5 checksum: 106314 63572306d8c9d8ea8c47e66b809195fd
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_i386.deb
Size/MD5 checksum: 93386 92d553ae68620971f9b81d81400cc7aa
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_i386.deb
Size/MD5 checksum: 89482 028881fdbf37c27de6fa3edd8fbd05c4
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_ia64.deb
Size/MD5 checksum: 120858 6919a34dfa3dfee634a9642604a3e8ff
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_ia64.deb
Size/MD5 checksum: 125960 cba7d736e52cabbe70de29f0e51cddf5
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_mips.deb
Size/MD5 checksum: 86614 4c1700cd9242c833fa22dfad073756c6
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_mips.deb
Size/MD5 checksum: 89758 e41ac894937a180111156157498843ab
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_mipsel.deb
Size/MD5 checksum: 89858 aa269380dffa92119aa9004f82f98da2
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_mipsel.deb
Size/MD5 checksum: 86710 769d82a08a391758a712b944f54b0cbb
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_powerpc.deb
Size/MD5 checksum: 93420 f576dbcb12dec39481126d4d2b40ffe9
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_powerpc.deb
Size/MD5 checksum: 90220 5716b5070274952d35957e07f33742c0
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_s390.deb
Size/MD5 checksum: 99948 897e7b4cd9acb4a1a735d4e1a49474c9
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_s390.deb
Size/MD5 checksum: 96176 d8f44d62414bc99fcf4360eb64d29b37
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.18-3etch2_sparc.deb
Size/MD5 checksum: 87926 0084f3bdb917e99f666d8fa7832d0b2a
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.18-3etch2_sparc.deb
Size/MD5 checksum: 91398 7ed7eedb497a1a0cecab652eb3bc1195
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.dsc
Size/MD5 checksum: 1336 7070da05cbe8200e7d92dbfe9228ab0e
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26.orig.tar.gz
Size/MD5 checksum: 1442605 feaec245136bc4d99a9dde95a00ea93c
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk_1.2.26-2+lenny1.diff.gz
Size/MD5 checksum: 12187 8b6e6b0abd76bae90c99c50ab1fee027
Architecture independent packages:
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache-mod-jk-doc_1.2.26-2+lenny1_all.deb
Size/MD5 checksum: 169998 d31f4efe7b78e94bf1c7cffabce17c6b
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_alpha.deb
Size/MD5 checksum: 125008 0a99d6364abf9b5934dfe0814c9ac589
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_amd64.deb
Size/MD5 checksum: 127806 84fe833769ac2a4cda17fb6f48b3ca6d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_arm.deb
Size/MD5 checksum: 130600 81d9d588db9c29c0ff58d9fd395ffdd6
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_armel.deb
Size/MD5 checksum: 133242 efa4faa96460d23682eb36958f475994
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_hppa.deb
Size/MD5 checksum: 126034 45135481a1cc2689b9c5b6910fca0b03
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_i386.deb
Size/MD5 checksum: 109874 bf54bb8f3489715932e5a07739a63dc4
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_ia64.deb
Size/MD5 checksum: 168168 fc402d0ecfb2cf96fb1600633772e418
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_mips.deb
Size/MD5 checksum: 111094 fe05eaac643aa26a9ca1ec755daa36ae
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_mipsel.deb
Size/MD5 checksum: 110106 e037fea37091598bbbd6a0530b090e9c
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_powerpc.deb
Size/MD5 checksum: 121816 f6be93aeec7aea7f10dac6c056086324
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_s390.deb
Size/MD5 checksum: 129412 f3373807d3f321bd6d38b7fcdc4dad8f
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/liba/libapache-mod-jk/libapache2-mod-jk_1.2.26-2+lenny1_sparc.deb
Size/MD5 checksum: 118514 3966e3f51da1b24f5fb45c6775c04918
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2009:0446-01)以及相应补丁:
RHSA-2009:0446-01:Important: mod_jk security update
链接:https://www.redhat.com/support/errata/RHSA-2009-0446.html
Sun
---
Sun已经为此发布了一个安全公告(Sun-Alert-262468)以及相应补丁:
Sun-Alert-262468:Security Vulnerability in the Apache 1.3 "mod_jk" Module may Lead to Unauthorized Access to Data
链接:http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-66-262468-1
Gentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200906-04)以及相应补丁:
GLSA-200906-04:Apache Tomcat JK Connector: Information disclosure
链接:http://security.gentoo.org/glsa/glsa-200906-04.xml
所有Apache Tomcat JK Connector用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=3Dwww-apache/mod_jk-1.2.27"
浏览次数:4886
严重程度:0(网友投票)
绿盟科技给您安全的保障