In today’s interconnected digital ecosystem, web server plugins like Apache Tomcat Connectors play a pivotal role. By enabling seamless communication between Apache Tomcat and other web servers and backends, they ensure web applications function efficiently. However, no software is impervious to vulnerabilities, as underscored by the recent disclosure related to Tomcat Connectors.
At its core, Apache Tomcat Connectors acts as a bridge. Its primary use is to tether Apache Tomcat to the Apache HTTP Server, known as mod_jk. But its versatility extends further, allowing connections to other web servers, including giants like Microsoft IIS and Nginx, through what’s named the ISAPI redirector.
The underlying magic that enables this connectivity is the Apache JServ Protocol (AJP). Crafted to be both efficient and scalable, AJP operates as a binary protocol.
This newfound vulnerability (CVE-2023-41081), graded as “important” in severity, is of particular concern. It is associated with the mod_jk component and manifests when certain configurations are active.
If a configuration contains “JkOptions +ForwardDirectories” but lacks explicit mounts for all potentially proxied requests, mod_jk could resort to an implicit mapping. This would direct the request to the first declared worker. Such unintended mapping might expose the status worker or even sidestep security constraints defined in httpd.
To emphasize gravity, only versions from Apache Tomcat Connectors 1.2.0 through 1.2.48 are affected by this specific issue. The ISAPI redirector remains untouched.
A nod of gratitude is due to Karl von Randow, who diligently reported the CVE-2023-41081 vulnerability to the Tomcat security team, embodying the essence of responsible disclosure.
With the release of JK 1.2.49, the Tomcat team has scrapped the implicit mapping functionality. Now, every mapping is explicitly configured.
For users operating on impacted versions, consider the following mitigative steps:
- Upgrading – Transition to Apache Tomcat Connector (mod_jk) 1.2.49 or its successors. This version offers a fix for the vulnerability.
- Configuration Review – Ensure all possible proxied requests have explicit mounts configured.
