Apache Tomcat JK connector security bypass
Description
The Apache Tomcat JK Web Server Connector versions 1.2.x prior to 1.2.23 contains a URL decoding vulnerability in the mod_jk module. The connector prematurely decodes request URLs at the Apache HTTP Server level before forwarding them to Tomcat, creating a discrepancy in how the two servers interpret the same URL. Attackers can exploit this by crafting requests with double-encoded sequences (such as double-encoded dot-dot sequences like %252e%252e) that bypass Apache's access controls but are interpreted as directory traversal attempts by Tomcat, allowing unauthorized access to protected resources.
Remediation
Immediately upgrade the Apache Tomcat JK Web Server Connector to version 1.2.23 or later, which addresses this URL decoding vulnerability. Follow these steps:
1. Download the latest stable version of mod_jk from the official Apache Tomcat Connectors project
2. Stop the Apache HTTP Server service
3. Replace the existing mod_jk module with the updated version
4. Verify the JkMount directives in your Apache configuration are correctly scoped and do not use overly permissive patterns
5. Restart Apache HTTP Server and test the connector functionality
6. Review access logs for any suspicious patterns indicating exploitation attempts (look for encoded dot-dot sequences like %252e)
As a temporary mitigation if immediate patching is not possible, review and restrict JkMount directives to specific paths only, and consider implementing additional URL validation at the Apache level using mod_rewrite rules to block requests containing multiple levels of URL encoding.