1 2 Previous Next 18 Replies Latest reply: Oct 30, 2012 6:10 AM by Yogesh Tiwari RSS

    JBOSS 5.1.0.GA JBOSS Web Vulunerability

    Ed Lam Newbie

      Recently we did a security scan and found the following vulunerability:-

       

      The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of  invalid values for the Transfer-Encoding' HTTP header as sent by a client.

       

      I understand that the jboss web version is 2.1.3, however, I don't know what Apache Tomcat version corresponds to the jboss version 2.1.3, because it was suggested to upgrade to Apache Tomcat version 5.5.30 / 6.0.28 or greater.

       

      Does anyone know if such security vulunerability is fixed in JBOSS 6 ?

       

      Or is there any alternatives such as using a standalone tomcat 6 server to replace the bundled jboss web 2.1.3?

       

      Thanks for any suggestion.

        • 1. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
          Jean-Frederic Clere Master

          You are speaking about CVE-2010-2227 no?

           

          It is fixed by r1496 in the jbossweb 2.1.x branch  and fixed in the 2.1.9 (See http://jboss.org/jbossweb/downloads/jboss-web.html).

           

          You could build a new jbossweb.jar using the 2.1.9 sources and replace the 5.0.1.GA ones with it.

          • 2. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
            Ed Lam Newbie

            Dear Fred,

             

            Thanks.

             

            But is the 2.1.9 safe to be used for production or

            is it safer to use the 2.1.3 branch (JBOSS 5.1.0.GA jbossweb version is 2.1.3) instead?

             

            Op, sorry, I thought there was a 2.1.3 branch but in fact there is only a 2.1.x branch and I believe 2.1.9 is the latest package updated and the only option for it.  Thanks.

            • 3. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
              Jean-Frederic Clere Master

              The community version are not for production, you should look to http://www.jboss.com/services/subscriptions/

              • 4. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                Pedro Silva Newbie

                Hi,

                 

                I did build based on 2.1.9 sources that I got from http://jboss.org/jbossweb/downloads/jboss-web.html and replaced all the jbossweb.jar jars in jboss-5.1.0.GA. I restarted the server and verifid that the JbossWeb version was upgraded:

                 

                [...]

                2010-09-03 16:26:44,437 INFO  [org.apache.catalina.core.StandardEngine] (main) Starting Servlet Engine: JBoss Web/2.1.9.GA

                [...]

                 

                However when running nessus test that verifes the vulnerability it still says it fails.

                 

                Is the fix really in the downloadable sources of 2.1.9 or only in CVS?

                 

                Thanks.

                • 5. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                  Jean-Frederic Clere Master

                  the guess is that nessus doesn't test the vulnerability but guess the version (may be wrongly) and tell it is vulnerable.

                  • 6. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                    Pedro Silva Newbie

                    The plugin output from Nessus is this:

                     

                    Nessus was able to verify this issue using the following request :

                    GET / HTTP/1.1
                    Host: 127.0.0.1
                    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
                    Date: Sat, 3 Jan 1970 21:54:37 GMT
                    User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
                    Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
                    Pragma: no-cache
                    Transfer-Encoding: NESSUS
                    Accept-Language: en
                    Connection: Close

                     

                    I've tried to use fiddler to see if I could trigger the error but I see no strange behaviour...

                    • 7. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                      Jean-Frederic Clere Master

                      What is the response?

                      • 8. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                        Pedro Silva Newbie

                        The responses from both are like this:

                         

                         

                        Default JBoss
                        HTTP/1.1 501 Not Implemented
                        Server: Apache-Coyote/1.1
                        Date: Fri, 17 Sep 2010 11:41:24 GMT
                        Connection: close
                        Patched JBoss
                        HTTP/1.1 501 Not Implemented
                        Server: Apache-Coyote/1.1
                        Date: Fri, 17 Sep 2010 11:52:20 GMT
                        Connection: close

                        Default JBoss:

                         

                        HTTP/1.1 501 Not Implemented

                        Server: Apache-Coyote/1.1

                        Date: Fri, 17 Sep 2010 11:41:24 GMT

                        Connection: close

                         

                         

                        Patched JBoss:

                         

                         

                        HTTP/1.1 501 Not Implemented

                        Server: Apache-Coyote/1.1

                        Date: Fri, 17 Sep 2010 11:52:20 GMT

                        Connection: close

                         

                        The nessus plugin does the following check in order to see if there is a vulnerabilty or not:

                         

                        if ("Transfer-Encoding: chunked" >!< w[1] &&

                            "501 Not Implemented" >< w[0] &&

                            egrep(pattern: "^Server:.*(Tomcat|Coyote)", string: w[1])

                        )

                        • 9. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                          Howard Ungar Newbie

                          We came to the exact same conclusion that Nessus is not correctly detecting the jbossweb fix for this vulnerability and have opened a case with Tenable, the makers of Nessus, asking them to fix the plugin..

                          • 10. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                            David liu Newbie

                            I have the same problem who can provide the Solutions to me. our company will scan on October 18th,I am very  Anxious now.

                            my email :  liuxueming8@gmail.com   thanks.

                             

                            I have  upgraded the JBoss version 5.1.0.GA-jdk6 to the JBoss latest version 6.0 (M5) and conducted a scanning.  The 'Apache Tomcat Transfer-Encoding Header Vulnerability' problem still exists,

                            • 11. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                              Pedro Silva Newbie

                              Howard, can you provide the link to the bug report on nessus, so that people can track the status of this issue?

                               

                              Thanks.

                              • 12. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                                Yogesh Tiwari Newbie

                                Hi,

                                I have a relevant request. I have upgraded the Jboss from 4.2.0 to 5.1.0, and now I need to update the Jboss web server from default 2.1.3 to the 2.1.9 version. I have followed few posts which mentions to download the 2.1.9 src code from the web, build it, and then replace the jbossweb.jar file. However, when I do it then there are lots of Deployment errors while bringing up the server.

                                Following is the snapshot of the errors:

                                 

                                2012-10-28 23:31:53,704 ERROR [org.apache.tomcat.util.modeler.Registry] Error loading vfszip:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar/org/apache/catalina/startup/mbeans-descriptors.xml
                                2012-10-28 23:31:53,707 ERROR [org.apache.tomcat.util.modeler.Registry] Error loading vfszip:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/jbossweb.jar/org/apache/catalina/mbeans-descriptors.xml
                                2012-10-28 23:31:53,714 ERROR [org.apache.tomcat.util.modeler.Registry] Error registering jboss.web:type=Catalina
                                java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource from BaseClassLoader@118e146{VFSClassLoaderPolicy@6dca9d{name=vfsfile:/usr/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/ domain=ClassLoad
                                erDomain@1d840d9{name=DefaultDomain parentPolicy=BEFORE parent=org.jboss.bootstrap.NoAnnotationURLClassLoader@1e51060} roots=[
                                MemoryContextHandler@1119993

                                ...

                                ..


                                DEPLOYMENTS MISSING DEPENDENCIES:
                                  Deployment "jboss.web.deployment:war=/ROOT" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/WebHelp" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/WizardMiddleware" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/Wizards" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/admin-console" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/invoker" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")
                                  Deployment "jboss.web.deployment:war=/jbossws" is missing the following dependencies:
                                    Dependency "jboss.web:service=WebServer" (should be in state "Create", but is actually in state "** NOT FOUND Depends on 'jboss.web:service=WebServer' **")

                                 

                                DEPLOYMENTS IN ERROR:
                                  Deployment "jboss.web:service=WebServer" is in error due to the following reason(s): ** NOT FOUND Depends on 'jboss.web:service=WebServer' **
                                  Deployment "WebServer" is in error due to the following reason(s): java.lang.ClassNotFoundException: org.apache.tomcat.util.
                                modeler.modules.MbeansDescriptorsIntrospectionSource from BaseClassLoader@118e146{VFSClassLoaderPolicy@6dca9d{name=vfsfile:/us
                                r/jboss-5.1.0.GA/server/default/deploy/jbossweb.sar/ domain=ClassLoaderDomain@1d840d9{name=DefaultDomain parentPolicy=BEFORE p
                                arent=org.jboss.bootstrap.NoAnnotationURLClassLoader@1......

                                 

                                Let me know if this helps, or if you need me to capture the whole log file and send for checking.

                                 

                                Regards,

                                Yogesh

                                • 13. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                                  Jean-Frederic Clere Master

                                  check that the jbossweb.jar is OK like:

                                  +++

                                  [jfclere@jfcpc jbossweb_2.1.x]$ jar tvf ./output/jars/jbossweb.jar | grep MbeansDescriptorsIntrospectionSource

                                    9194 Tue Jan 17 13:02:14 CET 2012 org/apache/tomcat/util/modeler/modules/MbeansDescriptorsIntrospectionSource.class

                                  [jfclere@jfcpc jbossweb_2.1.x]$

                                  +++

                                  Make sure you use the right version of java to compile.

                                  • 14. Re: JBOSS 5.1.0.GA JBOSS Web Vulunerability
                                    Yogesh Tiwari Newbie

                                    Hi,

                                    Thanks for your response.

                                    Following is the info:

                                    1. I checked and found that the 2.1.9 version of jbossweb.jar Does-Not contains MbeansDescriptorsIntrospectionSource.

                                        However, I can find it in the default 2.1.3 version jar file:

                                              $  jar tvf jbossweb.jar  | grep MbeansDescriptorsIntrospectionSource
                                                9194 Sat Apr 25 14:01:00 CDT 2009 org/apache/tomcat/util/modeler/modules/MbeansDescriptorsIntrospectionSource.class

                                     

                                    2. Another difference I see is that the jbossweb.jar file sizes are different. The 2.1.9 version is smaller than the 2.1.3 version. Is that correct

                                     

                                    ?

                                             2.1.3 version file size :       2526136
                                             2.1.9 version file size :       2516982          

                                    3. I am using the "jdk_1.5.0_09" to compile & build the jbossweb.jar. This is being used to compile our project as well. I have also checked the corresponding Ant version, ant_1.6.5, is compatible with the steps given for building the 2.1.9 jbossweb.jar file.

                                     

                                    4. Is there anything missing in steps ?

                                     

                                    Fyi, i had downloaded the Jboss Web 2.1.9 package from http://www.jboss.org/jbossweb/downloads/jboss-web.html , and have followed the Jboss-WebDocs steps for "Building Tomcat"

                                    Any suggestions ?

                                    Regards~

                                    1 2 Previous Next