CVE-2024-46544
📋 TL;DR
This vulnerability allows local users on Unix-like systems to view and modify shared memory containing mod_jk configuration due to incorrect default permissions. This could lead to information disclosure of sensitive configuration data or denial of service by corrupting the shared memory. Only Apache Tomcat Connectors mod_jk on Unix-like systems running versions 1.2.9-beta through 1.2.49 is affected.
💻 Affected Systems
- Apache Tomcat Connectors (mod_jk)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attackers could modify mod_jk configuration to redirect traffic, intercept sensitive data, or cause denial of service by corrupting shared memory, potentially affecting all web applications served through Tomcat.
Likely Case
Local users with access to the system could read sensitive configuration information (like worker configurations, load balancing settings) or cause intermittent service disruptions by modifying shared memory.
If Mitigated
With proper access controls and isolation, impact is limited to authorized local users who already have system access, reducing the attack surface significantly.
🎯 Exploit Status
Exploitation requires local access to the system. The vulnerability involves incorrect permissions on shared memory segments, which local users could potentially access with standard system tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.50
Vendor Advisory: https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d
Restart Required: Yes
Instructions:
1. Download Apache Tomcat Connectors 1.2.50 or later from the official Apache website. 2. Stop the Apache web server. 3. Replace the existing mod_jk module with the new version. 4. Restart the Apache web server. 5. Verify the version is updated.
🔧 Temporary Workarounds
Restrict shared memory permissions
linuxManually adjust permissions on mod_jk shared memory segments to restrict access to authorized users only.
# Identify mod_jk shared memory segments
ipcs -m | grep -i jk
# Set restrictive permissions (example - adjust based on your environment)
chmod 600 /dev/shm/jk*
# Or remove world-readable permissions
chmod o-rwx /dev/shm/jk*
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to systems running mod_jk
- Monitor shared memory access and file permissions for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check mod_jk version: httpd -M | grep jk (if loaded) or check module file version. Also verify Apache Tomcat Connectors version if installed separately.Check Version:
httpd -M 2>/dev/null | grep jk || find / -name "mod_jk.so" -exec strings {} \; | grep -i "JK_VERSION" || cat /usr/lib/apache2/modules/mod_jk.so | strings | grep -i "JK_VERSION"Verify Fix Applied:
Verify mod_jk version is 1.2.50 or later and check shared memory permissions are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to shared memory files
- Permission changes on /dev/shm/jk* files
- Apache/mod_jk configuration errors or failures
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="syslog" AND ("permission denied" AND "/dev/shm/jk" OR "mod_jk" AND "shared memory")