For those of you who use mod_jk, please upgrade to the latest version.
---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Sep 23, 2024 at 4:43 AM
Subject: [SECURITY] CVE-2024-46544 Apache mod_jk - Information Disclosure /
Denial of Service
To: Tomcat Users List <users@xxxxxxxxxxxxxxxxx>
Cc: Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>, <announce@xxxxxxxxxx>,
announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>
CVE-2024-46544 Apache mod_jk - Information Disclosure / DoS
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- JK 1.2.9-1.2.49 (mod_jk on Unix like platforms only)
Description:
Incorrect default permissions for the memory mapped file configured by
the JkShmFile directive on Unix like systems allows local users to view
and/or modify the contents of the shared memory containing mod_jk
configuration and status information. This could result in information
disclosure and/or denial of service.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to mod_jk 1.2.50 or later
History:
2024-09-23 Original advisory
References:
[1] https://tomcat.apache.org/security-jk.html
--
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter NSF Unidata
Software Engineer IV P.O. Box 3000
oxelson@xxxxxxxx Boulder, CO 80307
------------------------------------------------------------------------------------