Apache mod_jk access control bypass
Description
Apache mod_jk versions 1.2.0 through 1.2.44 contain an access control bypass vulnerability in the JK status manager administrative interface. The vulnerability stems from inconsistencies in how Apache httpd and Tomcat interpret URL paths, allowing attackers to circumvent access controls defined by JkMount directives. This enables unauthorized access to protected endpoints, including the JK status manager interface used for monitoring and configuring AJP (Apache JServ Protocol) worker connections between Apache and Tomcat.
Remediation
Apply the following remediation steps in order of priority:
1. Upgrade mod_jk: Update to Apache mod_jk version 1.2.46 or later, which contains a patch for this vulnerability. Download from the official Apache Tomcat Connectors page.
2. Implement stricter access controls: If immediate patching is not possible, modify your Apache httpd configuration to use more restrictive Location directives with wildcard patterns. Replace configurations like:
<Location /jkstatus> # access controls </Location>with:
<Location /jkstatus*> Require ip 127.0.0.1 Require ip ::1 </Location>
3. Restrict network access: Limit JK status manager access to trusted IP addresses only, preferably localhost or internal management networks.
4. Disable if unused: If the JK status manager is not required for operations, disable it entirely by removing the JkMount directive from your configuration.