Return-Path: <users-return-259628-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id A1B79200BB3
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Wed,  2 Nov 2016 16:23:53 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id A06A0160AFB; Wed,  2 Nov 2016 15:23:53 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id C26DE160AEA
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  2 Nov 2016 16:23:52 +0100 (CET)
Received: (qmail 57955 invoked by uid 500); 2 Nov 2016 15:23:51 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 57944 invoked by uid 99); 2 Nov 2016 15:23:51 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2016 15:23:51 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id E9319180481
	for <users@tomcat.apache.org>; Wed,  2 Nov 2016 15:23:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.002
X-Spam-Level: 
X-Spam-Status: No, score=-0.002 tagged_above=-999 required=6.31
	tests=[RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001,
	SPF_PASS=-0.001] autolearn=disabled
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024)
	with ESMTP id s_uiAkv16dBq for <users@tomcat.apache.org>;
	Wed,  2 Nov 2016 15:23:49 +0000 (UTC)
Received: from smtp85.iad3a.emailsrvr.com (smtp85.iad3a.emailsrvr.com [173.203.187.85])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id F13235FC33
	for <users@tomcat.apache.org>; Wed,  2 Nov 2016 15:23:48 +0000 (UTC)
Received: from smtp27.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id AD6BDC0570
	for <users@tomcat.apache.org>; Wed,  2 Nov 2016 11:23:35 -0400 (EDT)
X-SMTPDoctor-Processed: csmtpprox beta
Received: from smtp27.relay.iad3a.emailsrvr.com (localhost [127.0.0.1])
	by smtp27.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id A875CC0587
	for <users@tomcat.apache.org>; Wed,  2 Nov 2016 11:23:35 -0400 (EDT)
X-Auth-ID: carl@etrak-plus.com
Received: by smtp27.relay.iad3a.emailsrvr.com (Authenticated sender: carl-AT-etrak-plus.com) with ESMTPSA id 7C1F2C0570
	for <users@tomcat.apache.org>; Wed,  2 Nov 2016 11:23:35 -0400 (EDT)
X-Sender-Id: carl@etrak-plus.com
Received: from [192.168.0.123] (users.etrak-plus.com [63.230.112.226])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA)
	by 0.0.0.0:465 (trex/5.7.7);
	Wed, 02 Nov 2016 11:23:35 -0400
Subject: Re: Vulnerability from PCI scan
To: Tomcat Users List <users@tomcat.apache.org>
References: <c0931ef4-167c-a307-b7c4-c539e607031c@etrak-plus.com>
 <69f82492-afc0-c65d-9586-02c0bcfc5683@christopherschultz.net>
 <a848841c-b45e-ceb8-eb1b-4b9660206ec1@etrak-plus.com>
 <53443cf6-ce49-2324-47b3-f480a3aabbd7@christopherschultz.net>
From: "Carl K." <carl@etrak-plus.com>
Message-ID: <3746f5e3-f135-dde5-f5db-e69f5dbfaac8@etrak-plus.com>
Date: Wed, 2 Nov 2016 11:23:35 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <53443cf6-ce49-2324-47b3-f480a3aabbd7@christopherschultz.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
archived-at: Wed, 02 Nov 2016 15:23:53 -0000

Chris,

On 11/2/2016 11:05 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Carl,
>
> On 11/1/16 6:05 PM, Carl K. wrote:
>> On 11/1/2016 5:25 PM, Christopher Schultz wrote: Carl,
>>
>> On 11/1/16 5:11 PM, Carl K. wrote:
>>>>> Control Scan has returned this as a vulnerability in Tomcat
>>>>> 8.0.38:
>>>>>
>>>>> Vulnerable version of Apache Tomcat: 8.0.38
>>>>>
>>>>> Risk: High (3) Port: 443/tcp Protocol: tcp Threat ID:
>>>>> web_dev_tomcatver
>>>>>
>>>>> Details: 404 Error Page Cross Site Scripting Vulnerability
>>>>> 12/21/09 Apache Tomcat is prone to a cross-site scripting
>>>>> vulnerability because it fails to properly sanitize
>>>>> user-supplied input. An attacker may leverage this issue to
>>>>> execute arbitrary script code in the browser of an
>>>>> unsuspecting user in the context of the affected site. Apache
>>>>> Tomcat mitigates HTTP_PROXY environment variable "httpoxy"
>>>>> issue
>>>>>
>>>>> I have read everything I can find and it still doesn't make
>>>>> sense... can someone help to point me in the correct
>>>>> direction?
>>>>>
>>>>> I am further puzzled because this is the first time this has
>>>>> come up and we run Tomcat for years... note that the date is
>>>>> listed as 12-21-2009.
>> Technically, this is not a vulnerability in Tomcat (or any
>> reverse-proxy, such as httpd) but it does represent a failure to
>> protect stupid command-line utilities from making bad decisions
>> about trusting environment variables.
>>
>> Long story short, if using the CGI Servlet, any headers coming
>> from the request are set as HTTP_* environment variables on a
>> script that is executed as a CGI script. Notably, python, Perl, and
>> PHP (and others) use an environment variable called HTTP_PROXY to
>> indicate the presence of a forward-proxy to be used for outgoing
>> HTTP connections. Thus, setting a "Proxy" header in an HTTP request
>> to Tomcat will result in a CGI script seeing that value in the
>> HTTP_PROXY environment variable. This could present a problem in
>> your environment, but is possible to mitigate in a number of
>> different ways.
>>
>> https://www.apache.org/security/asf-httpoxy-response.txt
>>
>> I have no idea where your scanner got the date 2009-12-21. Perhaps
>> they took the recently-disclosed CVE (CVE-2016-5388 -- note the
>> year on that CVE identifier) and made a best-guess of when the
>> product was first vulnerable. The first beta version of Tomcat 7
>> wasn't available until 2010, so perhaps they were considering
>> Tomcat 6 as well. But Tomcat 6's history goes back well before
>> that. Honestly, I think they may have picked that date out of the
>> air.
>>
>> At any rate, you are safe if any of the following are true:
>>
>> 1. You don't use the CGI servlet 2. You don't use any scripts that
>> use HTTP_PROXY in this manner (this is a weak criteria, since you
>> may not KNOW if you are using such scripts) 3. You don't allow
>> outgoing HTTP requests from your application servers, and no error
>> messages produces by those scripts would leak any information like
>> URLs, etc. 4. If you have a reverse-proxy (e.g. httpd) and
>> explicitly remove any "proxy" headers from incoming HTTP requests
>>
>> Mitigation is possible through a variety of means. If you aren't
>> vulnerable, this scan is likely to complain merely because of the
>> version number of Tomcat and the fact that this CVE hasn't
>> officially been closed, yet.
>>
>>> That is about where I had gotten to.
>>> I really appreciate your quick and thorough response.
> I dug a bit, and it seems that this was fixed in Tomcat 8.0.38, as per
> the changelog[1]. Search for CVE-2016-5388 (or httpoxy) and you'll see
> it's in there. So your scanning is either incorrect or you have
> explicitly whitelisted the "PROXY" header for your CGIs. I suspect you
> ave no CGIs and the scanner is just dumping a list of things that
> *might* be vulnerabilities.
>
> - -chris

That is what I am thinking and I have relayed that to ControlScan.

Thanks,,

Carl
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJYGgDUAAoJEBzwKT+lPKRYzwwP/A5qW+36B0gYtse5r4QBjVi/
> y/aixHjpG5RaEH9SlJSUethhkqr2HKmoDFRyXe2z6HQcK/9gFIBMYeButF2FrqIH
> 8M5AnkgzbepaFPKL8ZK63J2I898lvusmdqcDVpZ5ttJDPEZyj/quaRWunhyYYXb3
> A4gwqsp6QuASf8x53/CiHfLKgE7r1oJsfZVcSKPRhUi2EFG26FJhuCdZAufH9mw7
> SnHqdWxWBk34w4oC6eyrb6Z7fpK8XFgu3NvQ9cJbrX9ivJ3nqiwAKMyg0Q8l2Xda
> z5ERLCbKRw7GuxXeGrWHzIFfnreKGBVM3IuHwhjAtkg7bzWkTNPUr1ZrewBpDHjY
> xRJt1ahqK04H6ctTTsPd/Xhti4q4mGI8tjas8Gt38VicJEjPKc8EBOW94NF+kz64
> jhp1KHcC7yIwbUHYAfm1IYRrQxo4PkDtZbDUdbum0gCYAFgvuLoVFib35fL0rtyu
> bfFNrI+taDjA57z4OqMx5/FvYj+gJhm41dR5SlC5ULkuOGz7WrNWXrYZztwsQs7n
> /kagYzIleuZZ7bitZIfjCxrGlQtPcOahAHWXItaxpUrae4VBXNWthouSfrV+mXSy
> WDOWCnnYzOc9OemgOxjeifPP9RlEFYow4r4go2kZg4Kxo9ihIT4uzC+YbEJu1oP9
> sPGi1+GcIBhvYMrzOA8C
> =+w7Z
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org