JBoss EAP 4.3 failing security audit for CVE-2005-2090
Environment
- JBoss Enterprise Application Platform (EAP)
Issue
- Security audit software shows the following results for CVE-2005-2090:
QID: 86789 CVSS Base: 4.3 PCI FAILED Category: Web server CVSS Temporal: 3.4 CVE ID: CVE-2005-2090 Vendor Reference: Apache Tomcat 4, Apache Tomcat 5, Apache Tomcat 6 Bugtraq ID: 13873 Service Modified: 07/14/2008 User Modified: - Edited: No THREAT: This vulnerability exists in Apache Tomcat Versions 4, 5 and 6 when the server doesn't reject multiple content length header requests. IMPACT: When these kinds of requests are processed by firewalls, caches, proxies and Tomcat, they may result in Web cache poisoning, XSS attack and information disclosure. SOLUTION: Refer to this Apache Tomcat Web site (http://tomcat.apache.org/) for details about the latest versions. COMPLIANCE: Not Applicable RESULTS: POST /index.jsp HTTP/1.0 Content-Length: 0 Content-Length: 0 <html><head><title>JBossWeb/2.0.0.GA_CP - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color :
#525D76;}--></style> </head><body><h1>HTTP Status 404 - /cardlock/error_404.html</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/cardlock/error_404.html</u></p><p><b>description</b> <u>The requested resource (/cardlock/error_404.html) is not available.</u></p><HR size="1" noshade="noshade"><h3>JBossWeb/2.0.0.GA_CP</h3></body></html>POST /index.html HTTP/1.0 Content-Length: 0 Content-Length: 0
Resolution
Prevent ErrorDocument URLs from being proxied to the backend by adding ProxyPass and/or ProxyPassMatch directives with the "!" operator to prevent those URLs from getting proxied. Be sure to add the entries before any existing ProxyPass and/or ProxyPassMatch directives. For example:
ProxyPassMatch ^/error_400.html$ !
ProxyPassMatch ^/error_402.html$ !
ProxyPassMatch ^/error_403.html$ !
ProxyPassMatch ^/error_404.html$ !
ProxyPassMatch ^/error_413.html$ !
Root Cause
The test is giving a false positive because httpd is responding to the duplicate Content-Length headers with a 413 response, which maps to the corresponding ErrorDocument URL, which then gets passed to the backend, which results in a 404 response.
Diagnostic Steps
- This issue was fixed in Tomcat 6.0.11, and JBoss EAP 4.2/4.3 is based on Tomcat 6.0.13.
- Test with the attached JMeter test that sends 2 Content-Length headers when requesting a page from the jmx-console. It fails with the following error in jmeter.log:
2010/05/11 13:54:21 ERROR - jmeter.protocol.http.sampler.HTTPSampler: Cause: java.io.IOException: Server returned HTTP response code: 400 for URL: http://localhost:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=Catalina%3Atype%3DServer 2010/05/11 13:54:21 INFO - jmeter.protocol.http.sampler.HTTPSampler: Error Response Code: 400 - Test with curl as follows:
curl -H "Content-Length:49;Content-Length:50" -d "action=inspectMBean&name=Catalina%3Atype%3DServer" -D headers.txt http://localhost:8080
You will see the 400 response in headers.txt.
- Test hitting JBoss directly, then through any upstream proxies (e.g. Apache).
Attachments
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
