Thanks Mark.. Got clarified On Thu, Nov 22, 2018 at 10:50 PM Mark Thomas <m...@homeinbox.net> wrote:
> On November 22, 2018 4:19:40 PM UTC, GNK G <gnk...@gmail.com> wrote: > >Hello Team, > > > >According to the below link, we can check the vulnerability using > >"status" > >worker > > > > > https://www.immunit.ch/blog/2018/11/01/cve-2018-11759-apache-mod_jk-access-bypass/ > > > >I am able to simulate the issue using the above method. > > > >But it is specific only to "status" worker. > > > >Does that mean, the issue is only specific to "status" worker, if we > >don't > >use it, is it not vulnerable. > > No. The vulnerability is not specific to the status worker. > > >I am trying the same method in other URL (by appending ;) in our > >server, it > >is always going for authentication. So can I assume, it does not affect > >other part in our server. > > No. Whether or not you are vulnerable will depend on multiple factors. > > If you are applying access controls in httpd to a subset of the URLs > served by Tomcat or if Tomcat serves only a subset of the URLs accessible > through httpd then you are probably vulnerable. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
