CVE-2023-41081 - Authentication Bypass in Apache Tomcat Connectors (mod_jk) Explained in Simple Terms

Date disclosed: 2023-09-13
Updated summary: 2023-09-28
Impacted Software: Apache Tomcat Connectors (mod_jk) 1.2. – 1.2.48
Fixed in: mod_jk version 1.2.49

What is CVE-2023-41081?

CVE-2023-41081 is a serious security issue affecting the mod_jk component of Apache Tomcat Connectors. If you are using mod_jk as a bridge between your Apache HTTP server (httpd) and Tomcat servers, and have special configuration like JkOptions +ForwardDirectories, your setup may have had an authentication bypass vulnerability that could expose sensitive resources or bypass your web app’s access controls.

Why is it Dangerous?

In plain language, this bug could let attackers access parts of your backend that you never intended to expose, simply because of missing or incomplete configuration in Apache mod_jk.

For example:
If you didn't explicitly state (or "mount") all possible URL paths that can be forwarded, mod_jk used an implicit fallback rule. That fallback could accidentally send sensitive requests (like /jkstatus or admin-only endpoints) to the status worker or an internal resource, skipping your security settings at the front (Apache HTTPD) level.

Let’s break down what happened, step by step

1. Configuration Example: Many admins used the JkOptions +ForwardDirectories option, which forwards unknown subdirectories automatically.
2. Implicit Mapping: If a request wasn't explicitly matched by your Apache configuration, mod_jk would pick the first worker listed and send the request there.
3. Consequence: This meant unauthorized requests might be serviced by internal workers intended for things like status pages or admin tasks, bypassing authentication.

Here's a simplified visual

Request: http://yourdomain.com/unprotected/path  
  ↓
mod_jk picks the FIRST worker if nothing matches explicitly  
  ↓
Sends to the backend (Tomcat worker) without you meaning it to

Suppose you have mod_jk set up like this in your httpd.conf or mod_jk.conf

JkMount /app1/* worker1
JkMount /status worker_status

JkOptions +ForwardDirectories

If a user requests /status, it goes to worker_status.
If a user requests /app1/test, it goes to worker1.
But, if a user requests /ANYTHING_UNKNOWN, with +ForwardDirectories, mod_jk would send that to the first worker (worker1) even though there was no explicit mapping.

Worse:
If your workers are mapped to things like jkstatus (mod_jk's own status handler), an attacker can just request /jkstatus or similar, and gain internal insights without authentication – possibly even allowing control over the connector.

Here’s a simplified way an attacker might exploit this

curl http://yourdomain.com/jkstatus

If mod_jk is set with +ForwardDirectories and lacks an explicit JkMount for /jkstatus, this could respond with the mod_jk status page, even if that's supposed to be protected.

Upgrade mod_jk to at least version 1.2.49.

- The implicit fallback mapping feature has been removed. All proxy mappings MUST be specified explicitly.

Example fixed configuration

JkMount /app1/* worker1
JkMount /status worker_status
# No JkOptions +ForwardDirectories

Original Apache Security Advisory:

https://lists.apache.org/thread/pj53csz2ldre3hwz8z5sf3033zc1cwl5

CVE Details Page:

https://nvd.nist.gov/vuln/detail/CVE-2023-41081

mod_jk Documentation:

https://tomcat.apache.org/connectors-doc/

Upgrade mod_jk to 1.2.49 or later.

- This fixes a bug that could let hackers sidestep your front-end security and reach sensitive parts of your Tomcat servers.

Staying current with patches isn't just best practice—sometimes, it’s your only shield.

Timeline

Published on: 09/13/2023 10:15:07 UTC
Last modified on: 09/29/2023 00:15:12 UTC