Bug 33083

Summary: apache-mod_jk new security issue CVE-2023-41081
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: apache-mod_jk-1.2.48-1.mga9.src.rpm CVE: CVE-2023-41081
Status comment:

Description Nicolas Salguero 2024-04-10 15:08:01 CEST 
SUSE has issued an advisory on April 10:
https://lwn.net/Articles/969302/

The problem is fixed in version 1.2.49.

Mageia 9 is also affected.
Nicolas Salguero 2024-04-10 15:08:28 CEST

Status comment: (none) => Fixed upstream in 1.2.49
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2023-41081
Source RPM: (none) => apache-mod_jk-1.2.48-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-04-10 21:00:32 CEST 
Little activity on this, no one packager evident, so assigning globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-04-11 14:01:05 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. (CVE-2023-41081)

References:
https://lwn.net/Articles/969302/
========================

Updated packages in core/updates_testing:
========================
apache-mod_jk-1.2.49-1.mga9
apache-mod_jk-manual-1.2.49-1.mga9
apache-mod_jk-tools-1.2.49-1.mga9

from SRPM:
apache-mod_jk-1.2.49-1.mga9.src.rpm

Status: NEW => ASSIGNED
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status comment: Fixed upstream in 1.2.49 => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2024-04-12 00:58:46 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-04-13 11:42:48 CEST 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Ref bug 16078 for testing
# systemctl  start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-04-13 11:34:48 CEST; 14s ago
   Main PID: 97529 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 11 (limit: 4495)
     Memory: 47.7M
        CPU: 678ms
     CGroup: /system.slice/httpd.service
             ├─97529 /usr/sbin/httpd -DFOREGROUND
             ├─97849 /usr/sbin/httpd -DFOREGROUND
             ├─97852 /usr/sbin/httpd -DFOREGROUND
             ├─97854 /usr/sbin/httpd -DFOREGROUND
             ├─97858 /usr/sbin/httpd -DFOREGROUND
             └─97861 /usr/sbin/httpd -DFOREGROUND

Apr 13 11:34:48 mach4.hviaene.thuis systemd[1]: Starting httpd.service...
Apr 13 11:34:48 mach4.hviaene.thuis systemd[1]: Started httpd.service.
# systemctl  stop httpd
# httpd -M
Loaded Modules:
gives a long list, so used
# httpd -M | grep jk
 jk_module (shared)
Looks OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-04-13 16:58:09 CEST 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 5 Mageia Robot 2024-04-13 18:57:34 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0130.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED