tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Vulnerability from PCI scan
Date Wed, 02 Nov 2016 15:05:56 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Carl,

On 11/1/16 6:05 PM, Carl K. wrote:
> On 11/1/2016 5:25 PM, Christopher Schultz wrote: Carl,
> 
> On 11/1/16 5:11 PM, Carl K. wrote:
>>>> Control Scan has returned this as a vulnerability in Tomcat 
>>>> 8.0.38:
>>>> 
>>>> Vulnerable version of Apache Tomcat: 8.0.38
>>>> 
>>>> Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID: 
>>>> web_dev_tomcatver
>>>> 
>>>> Details: 404 Error Page Cross Site Scripting Vulnerability 
>>>> 12/21/09 Apache Tomcat is prone to a cross-site scripting 
>>>> vulnerability because it fails to properly sanitize
>>>> user-supplied input. An attacker may leverage this issue to
>>>> execute arbitrary script code in the browser of an
>>>> unsuspecting user in the context of the affected site. Apache
>>>> Tomcat mitigates HTTP_PROXY environment variable "httpoxy"
>>>> issue
>>>> 
>>>> I have read everything I can find and it still doesn't make 
>>>> sense... can someone help to point me in the correct
>>>> direction?
>>>> 
>>>> I am further puzzled because this is the first time this has
>>>> come up and we run Tomcat for years... note that the date is
>>>> listed as 12-21-2009.
> Technically, this is not a vulnerability in Tomcat (or any 
> reverse-proxy, such as httpd) but it does represent a failure to 
> protect stupid command-line utilities from making bad decisions
> about trusting environment variables.
> 
> Long story short, if using the CGI Servlet, any headers coming
> from the request are set as HTTP_* environment variables on a
> script that is executed as a CGI script. Notably, python, Perl, and
> PHP (and others) use an environment variable called HTTP_PROXY to
> indicate the presence of a forward-proxy to be used for outgoing
> HTTP connections. Thus, setting a "Proxy" header in an HTTP request
> to Tomcat will result in a CGI script seeing that value in the
> HTTP_PROXY environment variable. This could present a problem in
> your environment, but is possible to mitigate in a number of
> different ways.
> 
> https://www.apache.org/security/asf-httpoxy-response.txt
> 
> I have no idea where your scanner got the date 2009-12-21. Perhaps 
> they took the recently-disclosed CVE (CVE-2016-5388 -- note the
> year on that CVE identifier) and made a best-guess of when the
> product was first vulnerable. The first beta version of Tomcat 7
> wasn't available until 2010, so perhaps they were considering
> Tomcat 6 as well. But Tomcat 6's history goes back well before
> that. Honestly, I think they may have picked that date out of the
> air.
> 
> At any rate, you are safe if any of the following are true:
> 
> 1. You don't use the CGI servlet 2. You don't use any scripts that
> use HTTP_PROXY in this manner (this is a weak criteria, since you
> may not KNOW if you are using such scripts) 3. You don't allow
> outgoing HTTP requests from your application servers, and no error
> messages produces by those scripts would leak any information like
> URLs, etc. 4. If you have a reverse-proxy (e.g. httpd) and
> explicitly remove any "proxy" headers from incoming HTTP requests
> 
> Mitigation is possible through a variety of means. If you aren't 
> vulnerable, this scan is likely to complain merely because of the 
> version number of Tomcat and the fact that this CVE hasn't
> officially been closed, yet.
> 
>> That is about where I had gotten to.
> 
>> I really appreciate your quick and thorough response.

I dug a bit, and it seems that this was fixed in Tomcat 8.0.38, as per
the changelog[1]. Search for CVE-2016-5388 (or httpoxy) and you'll see
it's in there. So your scanning is either incorrect or you have
explicitly whitelisted the "PROXY" header for your CGIs. I suspect you
ave no CGIs and the scanner is just dumping a list of things that
*might* be vulnerabilities.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJYGgDUAAoJEBzwKT+lPKRYzwwP/A5qW+36B0gYtse5r4QBjVi/
y/aixHjpG5RaEH9SlJSUethhkqr2HKmoDFRyXe2z6HQcK/9gFIBMYeButF2FrqIH
8M5AnkgzbepaFPKL8ZK63J2I898lvusmdqcDVpZ5ttJDPEZyj/quaRWunhyYYXb3
A4gwqsp6QuASf8x53/CiHfLKgE7r1oJsfZVcSKPRhUi2EFG26FJhuCdZAufH9mw7
SnHqdWxWBk34w4oC6eyrb6Z7fpK8XFgu3NvQ9cJbrX9ivJ3nqiwAKMyg0Q8l2Xda
z5ERLCbKRw7GuxXeGrWHzIFfnreKGBVM3IuHwhjAtkg7bzWkTNPUr1ZrewBpDHjY
xRJt1ahqK04H6ctTTsPd/Xhti4q4mGI8tjas8Gt38VicJEjPKc8EBOW94NF+kz64
jhp1KHcC7yIwbUHYAfm1IYRrQxo4PkDtZbDUdbum0gCYAFgvuLoVFib35fL0rtyu
bfFNrI+taDjA57z4OqMx5/FvYj+gJhm41dR5SlC5ULkuOGz7WrNWXrYZztwsQs7n
/kagYzIleuZZ7bitZIfjCxrGlQtPcOahAHWXItaxpUrae4VBXNWthouSfrV+mXSy
WDOWCnnYzOc9OemgOxjeifPP9RlEFYow4r4go2kZg4Kxo9ihIT4uzC+YbEJu1oP9
sPGi1+GcIBhvYMrzOA8C
=+w7Z
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message