The Apache Software Foundation has released a security update to fix a vulnerability in Apache Tomcat JK Connectors.
A description of the path traversal vulnerability (CVE-2018-11759) from the Apache advisory:
“The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd.”
To mitigate the vulnerability, administrators should upgrade to Apache Tomcat JK ISAPI Connector 1.2.46 or later. Alternative measures can also be used such as restricting access to trusted users (e.g., using the remote address filter).