On November 22, 2018 4:19:40 PM UTC, GNK G <gnk...@gmail.com> wrote: >Hello Team, > >According to the below link, we can check the vulnerability using >"status" >worker > >https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ > >I am able to simulate the issue using the above method. > >But it is specific only to "status" worker. > >Does that mean, the issue is only specific to "status" worker, if we >don't >use it, is it not vulnerable.
No. The vulnerability is not specific to the status worker. >I am trying the same method in other URL (by appending ;) in our >server, it >is always going for authentication. So can I assume, it does not affect >other part in our server. No. Whether or not you are vulnerable will depend on multiple factors. If you are applying access controls in httpd to a subset of the URLs served by Tomcat or if Tomcat serves only a subset of the URLs accessible through httpd then you are probably vulnerable. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
