How to remove unsafe HTTP verbs in http-invoker.sar in EAP
Environment
- JBoss Enterprise Application Platform (EAP)
- 4.3 CP01-CP09
- 5.0.0-5.1.1
Issue
- By submitting a HEAD request (instead of the usual GET), it was possible to bypass authentication for the JBoss JMXInvokerServlet and receive an HTTP 200 response.
- In EAP version prior to 5.1.2, removed the GET/POST verbs from the JMX Console's web.xml but they are still in the http.invoker.sar's web.xml.Is the Http invoker vulnerable to the same attack (bypassing security by using other HTTP verbs)?
Resolution
The safest thing to do would be to remove the verbs from http invokers web.xml located under deploy/http-invoker.sar/invoker.war/WEB-INF/.
This will cause all verbs to be blocked by default. So you would remove these values:
<http-method>GET</http-method>
<http-method>POST</http-method>
This would ensure that these methods can not be exploited.
It'll just force all methods to go through authentication.
This fix is included in the latest JBOSS EAP 4.3 CP10 and included in version starting from EAP-5.1.2.
Root Cause
Leaving these verbs available make it so that an unauthenticated user can use them to access secure data from the server. This JIRA explains futher:
This issue was reported as CVE-2011-4085 and tracked by the following bugzilla:
Diagnostic Steps
Testing with default settings:
default settings
================
$ curl -v -X HEAD http://127.0.0.1:8080/invoker/JMXInvokerServlet
curl: (18) transfer closed with 3222 bytes remaining to read
$ grep InvokerServlet server/default/log/server.log | grep processRequest
2011-04-11 09:42:43,325 TRACE [org.jboss.invocation.http.servlet.InvokerServlet] processRequest, ContentLength: -1
2011-04-11 09:42:43,329 TRACE [org.jboss.invocation.http.servlet.InvokerServlet] processRequest, ContentType: null
at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:136)
===========
full stack trace ... notice the HttpServlet.doHead -> InvokerServlet.doGet
===========
2011-04-11 09:53:31,839 TRACE [org.jboss.invocation.http.servlet.InvokerServlet] processRequest, ContentLength: -1
2011-04-11 09:53:31,841 TRACE [org.jboss.invocation.http.servlet.InvokerServlet] processRequest, ContentType: null
2011-04-11 09:53:31,844 DEBUG [org.jboss.invocation.http.servlet.InvokerServlet] Invoke threw exception
java.io.EOFException
at java.io.ObjectInputStream$PeekInputStream.readFully(ObjectInputStream.java:2281)
at java.io.ObjectInputStream$BlockDataInputStream.readShort(ObjectInputStream.java:2750)
at java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java:780)
at java.io.ObjectInputStream.<init>(ObjectInputStream.java:280)
at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:136)
at org.jboss.invocation.http.servlet.InvokerServlet.doGet(InvokerServlet.java:214)
at javax.servlet.http.HttpServlet.doHead(HttpServlet.java:241)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:173)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
remove all methods from web.xml
===============================
$ curl -v -X HEAD http://127.0.0.1:8080/invoker/JMXInvokerServlet
curl: (18) transfer closed with 954 bytes remaining to read
$ grep InvokerServlet server/default/log/server.log | grep processRequest
=====================================================
Enable some extra logging to see what is called:
=====================================================
$ git diff --no-prefix
diff --git jboss-as/server/default/conf/jboss-log4j.xml jboss-as/server/default/conf/jboss-log4j.xml
index 4c2eb7b..07f2ea9 100644
--- jboss-as/server/default/conf/jboss-log4j.xml
+++ jboss-as/server/default/conf/jboss-log4j.xml
@@ -159,7 +159,13 @@
<!-- ================ -->
<!-- Limit categories -->
<!-- ================ -->
+ <category name="org.jboss.invocation.http.servlet">
+ <priority value="TRACE"/>
+ </category>
+ <category name="org.jboss.jmx.adaptor.html">
+ <priority value="TRACE"/>
+ </category>
<!-- Limit the org.apache category to INFO as its DEBUG is verbose -->
<category name="org.apache">
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments