The Apache Web Server (httpd) specific code that normalised the requested
path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk)
Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only
a sub-set of the URLs supported by Tomcat were exposed via httpd, then it
was possible for a specially constructed request to expose application
functionality through the reverse proxy that was not intended for clients
accessing the application via the reverse proxy. It was also possible in
some configurations for a specially constructed request to bypass the
access controls configured in httpd. While there is some overlap between
this issue and CVE-2018-1323, they are not identical.
Upstream:released (1:1.2.46-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):not-affected (1:1.2.46-1)
Ubuntu 19.10 (Eoan):not-affected (1:1.2.46-1)
More Information

Updated: 2019-09-19 14:43:17 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)