HTTPoxy - Is my JBoss/tomcat affected?

Solution In Progress - Updated -

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP) 6.x
  • Red Hat JBoss Enterprise Application Platform (EAP) 5.x
  • Red Hat JBoss Enterprise Web Server (EWS) 2.x
    • Tomcat 6
  • Red Hat JBoss Web Server (JWS) 3.x
    • Tomcat 6
    • Tomcat 7

Issue

This issue applies when you’re using CGIServlet on JBoss EAP, or Tomcat. Any outgoing requests generated in turn from the attacker’s original request to the CGI script can be redirected to an attacker controlled proxy.

Resolution

The use of a CGIServlet in production is not recommended. It is best to remove the web application using CGIServlet if you have that option. Alternatively however you can add a Servlet Filter to your application which returns a ‘400: Bad Request’ response if a HTTP Header with with the name ‘Proxy’ is detected. For example:

Add a Servlet Filter to your CGI application war which filters requests with the ‘Proxy’ header:
NOTE: A filter will block any CGI implementation language implementation.

package com.redhat.prodsec.web.filter;

import java.io.IOException;
import java.util.Enumeration;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.annotation.WebFilter;

/*
 *  This is a sample servlet filter to disallow requests with "Proxy" http header
 */
@WebFilter("/*")
public class ProxyHeaderFilter implements Filter {

    /**
     * @see Filter#destroy()
     */
    public void destroy() {
        // TODO Auto-generated method stub
    }

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
            throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) req;
        Enumeration<String> headerNames = httpRequest.getHeaderNames();


        if (headerNames != null) {
                while (headerNames.hasMoreElements()) {
                    String headerName = headerNames.nextElement();
                    if(headerName.equalsIgnoreCase("Proxy"))
                        ((HttpServletResponse) res).sendError(HttpServletResponse.SC_BAD_REQUEST);
                }
        }

        chain.doFilter(req, res);

    }

    /**
     * @see Filter#init(FilterConfig)
     */
    public void init(FilterConfig fConfig) throws ServletException {
    }

}

After compiling the ProxyHeaderFilter.java, a package will be created named com.redhat.prodsec.web.filter containing ProxyHeaderFilter.class.

Create a jar for the ProxyHeaderFilter.class using the command below. It will generate a jar called ProxyHeaderFilter.jar.

jar -cvf ProxyHeaderFilter.jar com

Put this jar in your Web application's WEB-INF/lib folder. It will enable the Servlet filter in the web application.

JWS 3.0.3 SP1

If you're using JWS 3.0.3 SP 1 or later, a filter called org.apache.catalina.filters.PoxyFilter is included in the release.

You could use it by adding this to your application's web.xml:

    <filter>
        <filter-name>poxy</filter-name>
        <filter-class>
            org.apache.catalina.filters.PoxyFilter
        </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>poxy</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>

A valve was also added to the release called org.apache.catalina.valves.PoxyValve. You could add the new valve to your server, or context, xml, which would affect all applications:
<Valve className="org.apache.catalina.valves.PoxyValve" />

Root Cause

See HTTPoxy - A CGI application-code vulnerability affecting PHP, Go, Python, and others for more information.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments