I need to get over the same security vulnerability (i.e. CVE-2005-2090). We are on JBoss 4.2.2GA which bundles JBossWeb 2.0.1. It appears that this version of JBossWeb has the same issue.
1) Anyone know the earliest version of JBossWeb containing a fix for this vulnerability?
2) Assuming there is a patch release for JBossWeb that addresses this, is it supported and relatively straight forward to upgrade JBossWeb within JBoss?
3) Barring that are there any known workarounds? If we are fronted with Apache Web Server, it seems like there should be an easy way to filter these faulty requests before they get to JBossWeb?
Any help will be greatly appreciated.
CVE-2005-2090 was fixed in TC6.0.11 and jbossweb is based on 6.0.13+ so it is fixed.
Thanks for the prompt response. Do you know what exactly the fix was? My testing seems to show an HTTP Response of 400 ("Bad Request"). Seems reasonable to me.
My client's testing however is indicating that they get a 404 in the case when the resource is not found. Per the web app's configuration the body of the response contains a pretty formatted error page. This also seems reasonable to me but I am afreaid I don't understand the security vulnerability well enough to know if this is still an issue.
I suspect that JBossWeb is checking for the requested resource BEFORE validating the headers and so returns 404 instead of 400. Can you confirm this and do you know if this presents a security risk?
The headers are not validated before being used so the behaviour is the excepted one.