|
Note: This is an archival copy of Security Sun Alert 275850 as previously published on http://sunsolve.sun.com. Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021796.1. |
Category Security Release Phase Workaround 6916389, 6916390, 6916391, 6916392, 6917211, 6917212 Product Sun Java System Web Server 6.1 Sun Java System Web Server 7.0 Sun Java System Web Proxy Server 4.0 Date of Workaround Release 20-Jan-2010 Multiple security vulnerabilities in the HTTP TRACE, WebDAV and Digest Authentication methods: 1. Impact The following security vulnerabilities have been reported in the Sun Java System Web Server and the Sun Java System Web Proxy Server. BugIDs 6916389 and 6916390 describe buffer overflow and format string vulnerabilities in the WebDAV extensions to the Sun Java System Web Server. These issues may allow remote clients to trigger a Web Server crash, thus resulting in a Denial of Service (DoS) condition. These issues may also allow remote unauthorized users to gain elevated privileges, enabling them to access and modify sensitive files. BugIDs 6916391 and 6917212 describe buffer overflow issues in the Digest Authentication methods in the Sun Java System Web Server and Sun Java System Web Proxy Server, which may allow remote unprivileged users to crash the Web Server or the Web Proxy Server, thus leading to a Denial of Service (DoS) condition. These issues may also lead to execution of arbitrary code with elevated privileges. BugIDs 6916392 and 6917211 describe heap overflow issues in the HTTP TRACE functionality in the Sun Java System Web Server and Sun Java System Web Proxy Server, which may allow remote unprivileged users to crash the Web Server or the Web Proxy Server, thus leading to a Denial of Service (DoS) condition. These issues may also be exploited to gain unauthorized access to sensitive information. Sun acknowledges with thanks, Evgeny Legerov from Intevydis <www.intevydis.com> for discovering and reporting these issues. 2. Contributing Factors The issue described in BugID 6916389 can occur in the following releases for the SPARC, x86, Linux, Windows, HP-UX and AIX Platforms:
Note 2: The issues described in bugIDs 6916389 and 6916390 only affect Web Servers which have enabled the WebDAV functionality. To determine if WebDAV is enabled on a Web Server deployment, do the following: 1. Check for the following entries in magnus.conf configuration file: Init fn="load-modules" shlib="libdavplugin.so" funcs="init-dav,ntrans-dav,2. Check for the following entries in the obj.conf configuration file of the virtual server: <Object name="default"> <Object name="dav">Note 3: All deployments of Web Server and Web Proxy Server are affected by the issues described in bugIDs 6916391 and 6917212, regardless of the authentication mechanism used by the Server. All deployments are affected by these issues, even if the Servers do not use any authentication mechanism at all. Note 4: To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run: $ <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web
Server and <host> should be the actual host name on which the Web
Server is installed).To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run: $ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web
Server).To determine the version of Sun Java System Proxy Server on a system, the following command can be run: $ <PS_INSTALL>/bin/ns-proxy -v
(Where <PS_INSTALL> is the installation directory of the Proxy
Server).Should the described issues occur, the Web Server or the Web Proxy Server may crash, leaving the service unavailable to users for a window of time while the server automatically restarts. Depending on the system configuration, there may be a core file dumped after the service crashes. There are no predictable symptoms to indicate that these issues have been exploited to execute arbitrary code or to access unauthorized information. 4. Workaround BugIDs 6916389 and 6916390: To work around the issues described in bugIDs 6916389 and 6916390, disable WebDAV on the Web Server. WebDAV is disabled by default on the Web Server. If WebDAV has been enabled on the Server, the following steps may be used to disable the feature on Web Server 6.1: 1. Remove the following entries corresponding to WebDAV, from the virtual server's obj.conf file to disable WebDAV: <Object name="default"> <Object name="dav">This step should be performed on all virtual servers on which WebDAV is enabled. 2. Remove the following entries from the file magnus.conf: Init fn="load-modules" shlib="libdavplugin.so" funcs="init-dav,ntrans-dav,On Web Server 7.0, disabling of WebDAV can be done by using the following command: $<WS-install>/bin/wadm disable-webdav --user=admin --password-file=<password_file> --host=<host> --port=<port> --config=<config>
Note: Restart the Web Server after disabling WebDAV. Once disabled, all legitimate uses of WebDAV will also be disabled.BugIDs 6916391 and 6917212: To work around the issues described in bugIDs 6916391 (WebServer) and 6917212 (Proxy Server), the server must be prevented from processing Authorization headers with the "Digest" method. This may be accomplished by removing or overwriting the "Digest" header line in the request with a safe value. The following examples illustrate some of the methods to accomplish this: 1. Filter HTTP headers containing the "Authorization: Digest" string via firewalls, load balancers or reverse proxies. Please refer to the appropriate documentation for configuring HTTP filters. 2. On Web Server 7.0, add the following rule to the file "obj.conf" to overwrite the Authorization header containing the string "Digest": <If defined $headers{'authorization'} and $headers{'authorization'} =~ "(?i)digest">
3. On Web Server 6.1, add the following rule to the file "obj.conf" to refuse those connections which include the string "Digest" in the Authorization header:<Client variable-headers="authorization:*[Dd][Ii][Gg][Ee][Ss][Tt]*">Note: Restart the Web Server after implementing the above steps.Preventing the server from processing Digest headers will prevent all legitimate uses of the Digest Authentication. BugIDs 6916392 and 6917211: To workaround the issues described in bugs 6916392 (Web Server) and 6917211 (Proxy Server), disable HTTP TRACE support by commenting (with #) the corresponding entry in the 'obj.conf' file: # Service method="TRACE" fn="service-trace"Restart the Web Server/Web Proxy Server after editing the file. 5. Resolution These issues have been addressed in the following releases for the SPARC, x86, Linux, Windows, HP-UX and AIX Platforms:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U8-OTH-G-F@CDS-CDS_SMI
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1-SP12-OTH-G-F@CDS-CDS_SMI A final resolution is pending completion for the Sun Java System WebProxy Server and for the Sun Java System Web Server native patches. For more information on Security Sun Alerts, see 1009886.1. Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. Attachments This solution has no attachment | |||||||||||||||
|
|