Apache Tomcat JK Web Server (mod_jk) Connector versions 1.2.19 and 1.2.20 contain a vulnerability that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or execute arbitrary code.
The vulnerability is due to insufficient input validation in mod_jk.so when handling URLs. An unauthenticated, remote attacker could exploit this vulnerability by submitting an overly long URL designed to cause a buffer overflow. The attacker could use the buffer overflow condition to create a DoS condition on the associated web server or execute arbitrary code with the privileges of the web server.
Exploit code is available that causes a stack overflow on 32-bit Windows systems.
Apache has confirmed this vulnerability with a changelog and released updated software.