5 Replies Latest reply on May 23, 2011 7:52 AM by jfclere

    Tomcat Version with JBoss 4.2.1.GA

    ashok_av

      Does anyone know the tomcat version that is embedded in version 4.2.1 GA?

      I would like to know if the vulnerability CVE-2005-2090 is fixed in the tomcat version included in 4.2.1.GA.

      This vulnerability is fixed in tomcat release version 6.0.11. So I'd like to know which 6.0.x is included in JBoss 4.2.1.GA

      ---Thanks






      Thanks...

        • 1. Re: Tomcat Version with JBoss 4.2.1.GA
          peterj
          • 2. Re: Tomcat Version with JBoss 4.2.1.GA
            cgrube

            I need to get over the same security vulnerability (i.e. CVE-2005-2090). We are on JBoss 4.2.2GA which bundles JBossWeb 2.0.1. It appears that this version of JBossWeb has the same issue.

             

            1) Anyone know the earliest version of JBossWeb containing a fix for this vulnerability?

            2) Assuming there is a patch release for JBossWeb that addresses this, is it supported and relatively straight forward to upgrade JBossWeb within JBoss?

            3) Barring that are there any known workarounds? If we are fronted with Apache Web Server, it seems like there should be an easy way to filter these faulty requests before they get to JBossWeb?

             

            Any help will be greatly appreciated.

            • 3. Re: Tomcat Version with JBoss 4.2.1.GA
              jfclere

              CVE-2005-2090 was fixed in TC6.0.11 and jbossweb is based on 6.0.13+ so it is fixed.

              • 4. Re: Tomcat Version with JBoss 4.2.1.GA
                cgrube

                Jean-Frederic,

                 

                Thanks for the prompt response. Do you know what exactly the fix was? My testing seems to show an HTTP Response of 400 ("Bad Request"). Seems reasonable to me.

                 

                My client's testing however is indicating that they get a 404 in the case when the resource is not found. Per the web app's configuration the body of the response contains a pretty formatted error page. This also seems reasonable to me but I am afreaid I don't understand the security vulnerability well enough to know if this is still an issue.

                 

                I suspect that JBossWeb is checking for the requested resource BEFORE validating the headers and so returns 404 instead of 400. Can you confirm this and do you know if this presents a security risk?

                • 5. Re: Tomcat Version with JBoss 4.2.1.GA
                  jfclere
                  http://svn.apache.org/viewvc?view=rev&rev=514176

                  The headers are not validated before being used so the behaviour is the excepted one.