JBoss EAP 4.3 failing security audit for CVE-2005-2090

Solution Verified - Updated -

Environment

  • JBoss Enterprise Application Platform (EAP)

Issue

  • Security audit software shows the following results for CVE-2005-2090:
    QID: 86789 CVSS Base: 4.3 PCI FAILED
    Category: Web server CVSS Temporal: 3.4
    CVE ID: CVE-2005-2090
    Vendor Reference: Apache Tomcat 4, Apache Tomcat 5, Apache Tomcat 6
    Bugtraq ID: 13873
    Service Modified: 07/14/2008
    User Modified: -
    Edited: No
    THREAT:
    This
    vulnerability exists in Apache Tomcat Versions 4, 5 and 6 when the
    server doesn't reject multiple content length header requests.
    IMPACT:
    When
    these kinds of requests are processed by firewalls, caches, proxies and
    Tomcat, they may result in Web cache poisoning, XSS attack and
    information
    disclosure.
    SOLUTION:
    Refer to this Apache Tomcat Web site (http://tomcat.apache.org/) for details about the latest versions.
    COMPLIANCE:
    Not Applicable
    RESULTS:
    POST /index.jsp HTTP/1.0
    Content-Length: 0
    Content-Length: 0
    <html><head><title>JBossWeb/2.0.0.GA_CP - Error report</title><style><!--H1
    {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2
    {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3
    {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY
    {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;}
    B
    {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
    P
    {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A
    {color : black;}A.name {color : black;}HR {color :
    #525D76;}--></style> </head><body><h1>HTTP Status 404 - /cardlock/error_404.html</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/cardlock/error_404.html</u></p><p><b>description</b> <u>The requested resource (/cardlock/error_404.html) is not available.</u></p><HR size="1" noshade="noshade"><h3>JBossWeb/2.0.0.GA_CP</h3></body></html>POST /index.html HTTP/1.0 Content-Length: 0 Content-Length: 0

Resolution

Prevent ErrorDocument URLs from being proxied to the backend by adding ProxyPass and/or ProxyPassMatch directives with the "!" operator to prevent those URLs from getting proxied. Be sure to add the entries before any existing ProxyPass and/or ProxyPassMatch directives. For example:

ProxyPassMatch ^/error_400.html$ !
ProxyPassMatch ^/error_402.html$ !
ProxyPassMatch ^/error_403.html$ !
ProxyPassMatch ^/error_404.html$ !
ProxyPassMatch ^/error_413.html$ !

Root Cause

The test is giving a false positive because httpd is responding to the duplicate Content-Length headers with a 413 response, which maps to the corresponding ErrorDocument URL, which then gets passed to the backend, which results in a 404 response.

Diagnostic Steps

  • This issue was fixed in Tomcat 6.0.11, and JBoss EAP 4.2/4.3 is based on Tomcat 6.0.13.
  • Test with the attached JMeter test that sends 2 Content-Length headers when requesting a page from the jmx-console. It fails with the following error in jmeter.log:
    2010/05/11
    13:54:21 ERROR - jmeter.protocol.http.sampler.HTTPSampler: Cause:
    java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=Catalina%3Atype%3DServer
    2010/05/11 13:54:21 INFO  - jmeter.protocol.http.sampler.HTTPSampler: Error Response Code: 400
    
  • Test with curl as follows:
    curl -H "Content-Length:49;Content-Length:50" -d "action=inspectMBean&name=Catalina%3Atype%3DServer" -D headers.txt http://localhost:8080
    

You will see the 400 response in headers.txt.

  • Test hitting JBoss directly, then through any upstream proxies (e.g. Apache).

Attachments

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.