tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carl K." <c...@etrak-plus.com>
Subject Re: Vulnerability from PCI scan
Date Wed, 02 Nov 2016 15:23:35 GMT
Chris,

On 11/2/2016 11:05 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Carl,
>
> On 11/1/16 6:05 PM, Carl K. wrote:
>> On 11/1/2016 5:25 PM, Christopher Schultz wrote: Carl,
>>
>> On 11/1/16 5:11 PM, Carl K. wrote:
>>>>> Control Scan has returned this as a vulnerability in Tomcat
>>>>> 8.0.38:
>>>>>
>>>>> Vulnerable version of Apache Tomcat: 8.0.38
>>>>>
>>>>> Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID:
>>>>> web_dev_tomcatver
>>>>>
>>>>> Details: 404 Error Page Cross Site Scripting Vulnerability
>>>>> 12/21/09 Apache Tomcat is prone to a cross-site scripting
>>>>> vulnerability because it fails to properly sanitize
>>>>> user-supplied input. An attacker may leverage this issue to
>>>>> execute arbitrary script code in the browser of an
>>>>> unsuspecting user in the context of the affected site. Apache
>>>>> Tomcat mitigates HTTP_PROXY environment variable "httpoxy"
>>>>> issue
>>>>>
>>>>> I have read everything I can find and it still doesn't make
>>>>> sense... can someone help to point me in the correct
>>>>> direction?
>>>>>
>>>>> I am further puzzled because this is the first time this has
>>>>> come up and we run Tomcat for years... note that the date is
>>>>> listed as 12-21-2009.
>> Technically, this is not a vulnerability in Tomcat (or any
>> reverse-proxy, such as httpd) but it does represent a failure to
>> protect stupid command-line utilities from making bad decisions
>> about trusting environment variables.
>>
>> Long story short, if using the CGI Servlet, any headers coming
>> from the request are set as HTTP_* environment variables on a
>> script that is executed as a CGI script. Notably, python, Perl, and
>> PHP (and others) use an environment variable called HTTP_PROXY to
>> indicate the presence of a forward-proxy to be used for outgoing
>> HTTP connections. Thus, setting a "Proxy" header in an HTTP request
>> to Tomcat will result in a CGI script seeing that value in the
>> HTTP_PROXY environment variable. This could present a problem in
>> your environment, but is possible to mitigate in a number of
>> different ways.
>>
>> https://www.apache.org/security/asf-httpoxy-response.txt
>>
>> I have no idea where your scanner got the date 2009-12-21. Perhaps
>> they took the recently-disclosed CVE (CVE-2016-5388 -- note the
>> year on that CVE identifier) and made a best-guess of when the
>> product was first vulnerable. The first beta version of Tomcat 7
>> wasn't available until 2010, so perhaps they were considering
>> Tomcat 6 as well. But Tomcat 6's history goes back well before
>> that. Honestly, I think they may have picked that date out of the
>> air.
>>
>> At any rate, you are safe if any of the following are true:
>>
>> 1. You don't use the CGI servlet 2. You don't use any scripts that
>> use HTTP_PROXY in this manner (this is a weak criteria, since you
>> may not KNOW if you are using such scripts) 3. You don't allow
>> outgoing HTTP requests from your application servers, and no error
>> messages produces by those scripts would leak any information like
>> URLs, etc. 4. If you have a reverse-proxy (e.g. httpd) and
>> explicitly remove any "proxy" headers from incoming HTTP requests
>>
>> Mitigation is possible through a variety of means. If you aren't
>> vulnerable, this scan is likely to complain merely because of the
>> version number of Tomcat and the fact that this CVE hasn't
>> officially been closed, yet.
>>
>>> That is about where I had gotten to.
>>> I really appreciate your quick and thorough response.
> I dug a bit, and it seems that this was fixed in Tomcat 8.0.38, as per
> the changelog[1]. Search for CVE-2016-5388 (or httpoxy) and you'll see
> it's in there. So your scanning is either incorrect or you have
> explicitly whitelisted the "PROXY" header for your CGIs. I suspect you
> ave no CGIs and the scanner is just dumping a list of things that
> *might* be vulnerabilities.
>
> - -chris

That is what I am thinking and I have relayed that to ControlScan.

Thanks,,

Carl
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYGgDUAAoJEBzwKT+lPKRYzwwP/A5qW+36B0gYtse5r4QBjVi/
> y/aixHjpG5RaEH9SlJSUethhkqr2HKmoDFRyXe2z6HQcK/9gFIBMYeButF2FrqIH
> 8M5AnkgzbepaFPKL8ZK63J2I898lvusmdqcDVpZ5ttJDPEZyj/quaRWunhyYYXb3
> A4gwqsp6QuASf8x53/CiHfLKgE7r1oJsfZVcSKPRhUi2EFG26FJhuCdZAufH9mw7
> SnHqdWxWBk34w4oC6eyrb6Z7fpK8XFgu3NvQ9cJbrX9ivJ3nqiwAKMyg0Q8l2Xda
> z5ERLCbKRw7GuxXeGrWHzIFfnreKGBVM3IuHwhjAtkg7bzWkTNPUr1ZrewBpDHjY
> xRJt1ahqK04H6ctTTsPd/Xhti4q4mGI8tjas8Gt38VicJEjPKc8EBOW94NF+kz64
> jhp1KHcC7yIwbUHYAfm1IYRrQxo4PkDtZbDUdbum0gCYAFgvuLoVFib35fL0rtyu
> bfFNrI+taDjA57z4OqMx5/FvYj+gJhm41dR5SlC5ULkuOGz7WrNWXrYZztwsQs7n
> /kagYzIleuZZ7bitZIfjCxrGlQtPcOahAHWXItaxpUrae4VBXNWthouSfrV+mXSy
> WDOWCnnYzOc9OemgOxjeifPP9RlEFYow4r4go2kZg4Kxo9ihIT4uzC+YbEJu1oP9
> sPGi1+GcIBhvYMrzOA8C
> =+w7Z
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message