1 2 Previous Next 18 Replies Latest reply: Oct 30, 2012 6:10 AM by Yogesh Tiwari RSS

JBOSS 5.1.0.GA JBOSS Web Vulunerability

Ed Lam Newbie

Recently we did a security scan and found the following vulunerability:-

 

The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of  invalid values for the Transfer-Encoding' HTTP header as sent by a client.

 

I understand that the jboss web version is 2.1.3, however, I don't know what Apache Tomcat version corresponds to the jboss version 2.1.3, because it was suggested to upgrade to Apache Tomcat version 5.5.30 / 6.0.28 or greater.

 

Does anyone know if such security vulunerability is fixed in JBOSS 6 ?

 

Or is there any alternatives such as using a standalone tomcat 6 server to replace the bundled jboss web 2.1.3?

 

Thanks for any suggestion.

  • 1. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Jean-Frederic Clere Master

    You are speaking about CVE-2010-2227 no?

     

    It is fixed by r1496 in the jbossweb 2.1.x branch  and fixed in the 2.1.9 (See http://jboss.org/jbossweb/downloads/jboss-web.html).

     

    You could build a new jbossweb.jar using the 2.1.9 sources and replace the 5.0.1.GA ones with it.

  • 2. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Ed Lam Newbie

    Dear Fred,

     

    Thanks.

     

    But is the 2.1.9 safe to be used for production or

    is it safer to use the 2.1.3 branch (JBOSS 5.1.0.GA jbossweb version is 2.1.3) instead?

     

    Op, sorry, I thought there was a 2.1.3 branch but in fact there is only a 2.1.x branch and I believe 2.1.9 is the latest package updated and the only option for it.  Thanks.

  • 3. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Jean-Frederic Clere Master

    The community version are not for production, you should look to http://www.jboss.com/services/subscriptions/

  • 4. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Pedro Silva Newbie

    Hi,

     

    I did build based on 2.1.9 sources that I got from http://jboss.org/jbossweb/downloads/jboss-web.html and replaced all the jbossweb.jar jars in jboss-5.1.0.GA. I restarted the server and verifid that the JbossWeb version was upgraded:

     

    [...]

    2010-09-03 16:26:44,437 INFO  [org.apache.catalina.core.StandardEngine] (main) Starting Servlet Engine: JBoss Web/2.1.9.GA

    [...]

     

    However when running nessus test that verifes the vulnerability it still says it fails.

     

    Is the fix really in the downloadable sources of 2.1.9 or only in CVS?

     

    Thanks.

  • 5. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Jean-Frederic Clere Master

    the guess is that nessus doesn't test the vulnerability but guess the version (may be wrongly) and tell it is vulnerable.

  • 6. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Pedro Silva Newbie

    The plugin output from Nessus is this:

     

    Nessus was able to verify this issue using the following request :

    GET / HTTP/1.1
    Host: 127.0.0.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
    Date: Sat, 3 Jan 1970 21:54:37 GMT
    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
    Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
    Pragma: no-cache
    Transfer-Encoding: NESSUS
    Accept-Language: en
    Connection: Close

     

    I've tried to use fiddler to see if I could trigger the error but I see no strange behaviour...

  • 7. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Jean-Frederic Clere Master

    What is the response?

  • 8. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Pedro Silva Newbie

    The responses from both are like this:

     

     

    Default JBoss
    HTTP/1.1 501 Not Implemented
    Server: Apache-Coyote/1.1
    Date: Fri, 17 Sep 2010 11:41:24 GMT
    Connection: close
    Patched JBoss
    HTTP/1.1 501 Not Implemented
    Server: Apache-Coyote/1.1
    Date: Fri, 17 Sep 2010 11:52:20 GMT
    Connection: close

    Default JBoss:

     

    HTTP/1.1 501 Not Implemented

    Server: Apache-Coyote/1.1

    Date: Fri, 17 Sep 2010 11:41:24 GMT

    Connection: close

     

     

    Patched JBoss:

     

     

    HTTP/1.1 501 Not Implemented

    Server: Apache-Coyote/1.1

    Date: Fri, 17 Sep 2010 11:52:20 GMT

    Connection: close

     

    The nessus plugin does the following check in order to see if there is a vulnerabilty or not:

     

    if ("Transfer-Encoding: chunked" >!< w[1] &&

        "501 Not Implemented" >< w[0] &&

        egrep(pattern: "^Server:.*(Tomcat|Coyote)", string: w[1])

    )

  • 9. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Howard Ungar Newbie

    We came to the exact same conclusion that Nessus is not correctly detecting the jbossweb fix for this vulnerability and have opened a case with Tenable, the makers of Nessus, asking them to fix the plugin..

  • 10. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    David liu Newbie

    I have the same problem who can provide the Solutions to me. our company will scan on October 18th,I am very  Anxious now.

    my email :  liuxueming8@gmail.com   thanks.

     

    I have  upgraded the JBoss version 5.1.0.GA-jdk6 to the JBoss latest version 6.0 (M5) and conducted a scanning.  The 'Apache Tomcat Transfer-Encoding Header Vulnerability' problem still exists,

  • 11. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Pedro Silva Newbie

    Howard, can you provide the link to the bug report on nessus, so that people can track the status of this issue?

     

    Thanks.

  • 12. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Yogesh Tiwari Newbie

    Hi,

    I have a relevant request. I have upgraded the Jboss from 4.2.0 to 5.1.0, and now I need to update the Jboss web server from default 2.1.3 to the 2.1.9 version. I have followed few posts which mentions to download the 2.1.9 src code from the web, build it, and then replace the jbossweb.jar file. However, when I do it then there are lots of Deployment errors while bringing up the server.

    Following is the snapshot of the errors:

     

    2012-10-28 23:31:53,704 ERROR [org.apache.tomcat.util.modeler.Registry] Error loading vfszip:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar/org/apache/catalina/startup/mbeans-descriptors.xml
    2012-10-28 23:31:53,707 ERROR [org.apache.tomcat.util.modeler.Registry] Error loading vfszip:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar/org/apache/catalina/mbeans-descriptors.xml
    2012-10-28 23:31:53,714 ERROR [org.apache.tomcat.util.modeler.Registry] Error registering jboss.web:type=Catalina
    java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource from BaseClassLoader@118e146{VFSClassLoaderPolicy@6dca9d{name=vfsfile:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/ domain=ClassLoad
    erDomain@1d840d9{name=DefaultDomain parentPolicy=BEFORE parent=org.jboss.bootstrap.NoAnnotationURLClassLoader@1e51060} roots=[
    MemoryContextHandler@1119993

    ...

    ..


    DEPLOYMENTS MISSING DEPENDENCIES:
      Deployment "jboss.web.deployment:war=/ROOT" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/WebHelp" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/WizardMiddleware" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/Wizards" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/admin-console" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/invoker" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
      Deployment "jboss.web.deployment:war=/jbossws" is missing the following dependencies:
        Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")

     

    DEPLOYMENTS IN ERROR:
      Deployment "jboss.web:service=WebServer" is in error due to the following reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
      Deployment "WebServer" is in error due to the following reason(s): java.lang.ClassNotFoundException: org.apache.tomcat.util.
    modeler.modules.MbeansDescriptorsIntrospectionSource from BaseClassLoader@118e146{VFSClassLoaderPolicy@6dca9d{name=vfsfile:/us
    r/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/ domain=ClassLoaderDomain@1d840d9{name=DefaultDomain parentPolicy=BEFORE p
    arent=org.jboss.bootstrap.NoAnnotationURLClassLoader@1......

     

    Let me know if this helps, or if you need me to capture the whole log file and send for checking.

     

    Regards,

    Yogesh

  • 13. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Jean-Frederic Clere Master

    check that the jbossweb.jar is OK like:

    +++

    [jfclere@jfcpc jbossweb_2.1.x]$ jar tvf ./output/jars/jbossweb.jar | grep MbeansDescriptorsIntrospectionSource

      9194 Tue Jan 17 13:02:14 CET 2012 org/apache/tomcat/util/modeler/modules/MbeansDescriptorsIntrospectionSource.class

    [jfclere@jfcpc jbossweb_2.1.x]$

    +++

    Make sure you use the right version of java to compile.

  • 14. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
    Yogesh Tiwari Newbie

    Hi,

    Thanks for your response.

    Following is the info:

    1. I checked and found that the 2.1.9 version of jbossweb.jar Does-Not contains MbeansDescriptorsIntrospectionSource.

        However, I can find it in the default 2.1.3 version jar file:

              $  jar tvf jbossweb.jar  | grep MbeansDescriptorsIntrospectionSource
                9194 Sat Apr 25 14:01:00 CDT 2009 org/apache/tomcat/util/modeler/modules/MbeansDescriptorsIntrospectionSource.class

     

    2. Another difference I see is that the jbossweb.jar file sizes are different. The 2.1.9 version is smaller than the 2.1.3 version. Is that correct

     

    ?

             2.1.3 version file size :       2526136
             2.1.9 version file size :       2516982          

    3. I am using the "jdk_1.5.0_09" to compile & build the jbossweb.jar. This is being used to compile our project as well. I have also checked the corresponding Ant version, ant_1.6.5, is compatible with the steps given for building the 2.1.9 jbossweb.jar file.

     

    4. Is there anything missing in steps ?

     

    Fyi, i had downloaded the Jboss Web 2.1.9 package from http://www.jboss.org/jbossweb/downloads/jboss-web.html , and have followed the Jboss-WebDocs steps for "Building Tomcat"

    Any suggestions ?

    Regards~

1 2 Previous Next