Description
The JK status manager is an administration interface for mod_jk.
Due to discrepancies between the specifications of httpd and Tomcat for path resolution, Apache mod_jk Connector 1.2.0 to 1.2.44 access controls to endpoints defined by a JkMount httpd directive can be bypassed.
Notably, if a read-only JK status manager interface is available, it is possible to disclose the internal routes of AJP
services served by mod_jk.
Furthermore, if a read-write JK status manager interface is available, it is possible to hijack or shutdown all traffic traversing mod_jk by altering the configuration of AJP workers, or to conduct internal port scanning.
Remediation
A patch is available for mod_jk (version 1.2.46).
Other mitigations include the use of Location values such as /jkstatus*, which seems to fix the issue.
References
Related Vulnerabilities
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.17)
Joomla! Core 3.0.x Denial of Service (3.0.0 - 3.0.3)
Oracle Business Intelligence AMF Deserialization RCE CVE-2020-2950
WordPress Plugin Dropbox Folder Share Server-Side Request Forgery (1.9.7)
Spring Boot Misconfiguration: Spring Boot Actuator shutdown endpoint is web exposed