3 Replies Latest reply on Oct 25, 2017 11:41 AM by ptyagi_redhat.com

Disable Trace or Track on Wildfly 9.0.2 Final to mitigate Vulnerability Issue

jmart537 Sep 22, 2017 11:19 AM

Wildfly version 9.0.2 Final

Facing an VA score medium level

This is VA that i got hit by this version
https://www.tenable.com/plugins/index.php?view=single&id=11213

[standalone@localhost:9990 /] /subsystem=undertow/server=default-server/ht tp-listener=default:read-resource
{
"outcome" => "success",
"result" =>

{ "allow-encoded-slash" => false, "allow-equals-in-cookie-value" => false, "always-set-keep-alive" => true, "buffer-pipelined-data" => true, "buffer-pool" => "default", "certificate-forwarding" => false, "decode-url" => true, "enable-http2" => false, "enabled" => true, "max-buffered-request-size" => 16384, "max-cookies" => 200, "max-header-size" => 1048576, "max-headers" => 200, "max-parameters" => 1000, "max-post-size" => 104857600L, "no-request-timeout" => undefined, "proxy-address-forwarding" => false, "read-timeout" => undefined, "receive-buffer" => undefined, "record-request-start-time" => false, "redirect-socket" => undefined, "request-parse-timeout" => undefined, "resolve-peer-address" => false, "send-buffer" => undefined, "socket-binding" => "http", "tcp-backlog" => undefined, "tcp-keep-alive" => undefined, "url-charset" => "UTF-8", "worker" => "default", "write-timeout" => undefined }

}
[standalone@localhost:9990 /]

Above i do not have any attribute to state disallowed methods for TRACE and TRACK.

How to i work around with it, since this version of mine will be Final Version and i want to have a workaround

Any Gurus can assist me how to work around since this version does not have that attribute which is disallow-methods

1. Re: Disable Trace or Track on Wildfly 9.0.2 Final to mitigate Vulnerability Issue

ptyagi_redhat.com Oct 25, 2017 2:19 AM (in response to jmart537)

You can disable TRACE and TRACK http-methods in your application WEB-INF/web.xml .
Actions
2. Re: Disable Trace or Track on Wildfly 9.0.2 Final to mitigate Vulnerability Issue

jmart537 Oct 25, 2017 2:39 AM (in response to jmart537)

Hi Priyanka Tyagi,

Can you share with me what to configure in the web.xml file so that i can just disable both above?

Great if you do that.

Regards
Actions
3. Re: Disable Trace or Track on Wildfly 9.0.2 Final to mitigate Vulnerability Issue

ptyagi_redhat.com Oct 25, 2017 11:41 AM (in response to jmart537)

The configuration will be like below:

<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
<http-method>TRACK</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
Actions

Go to original post