-
1. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
melbouci Sep 28, 2010 1:08 PM (in response to sinha1981)Have you find a way to fix this issue on JBoss 4.2.3?
Thanks
-
2. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
howardu Oct 9, 2010 10:06 PM (in response to sinha1981)It was fixed in JBOSSWEB_2_0_0_GA_CP11 as documented here:
http://fisheye.labs.jboss.com/changelog/JBossWeb?cs=1516
You can download that release or the latest one and build it easily with ant from the subversion repository. Just point NetBeans (or your favorite svn client) to http://anonsvn.jboss.org/repos/jbossweb/tags/
-
3. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
melbouci Oct 16, 2010 11:58 AM (in response to howardu)Checkout the http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_0_GA_CP11 and CP15 and replaced the following files in jboss-web-deployer : jbossweb.jar and jbossweb-extra.jar .
Replaced the files servlet-api and jsp-api in the lib .
It did not resolve the issue. It still fails with CVE-2010-2227 .
-
4. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
jfclere Oct 18, 2010 2:20 AM (in response to melbouci)Well if it doesn't fix it I am afraid you are doing something wrong it is fixed since CP14.
-
5. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
melbouci Oct 19, 2010 11:44 PM (in response to jfclere)My apologies. It worked.
I had to remove the tmp folder and restart the server.
Thanks for your help.
-
6. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
vickyk Oct 28, 2010 1:17 AM (in response to jfclere)From the source code I don't see the corresponding fix in the CP14, the following changes
http://svn.apache.org/viewvc?view=revision&revision=958911
are not present in
Also http://fisheye.labs.jboss.com/changelog/JBossWeb?cs=1516 does not contain all the fixes as done here
http://svn.apache.org/viewvc?view=revision&revision=958911
For the Jboss4.2.3 GA the changes need to made explicitity in
http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_1_GA source code.
-
7. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
jfclere Oct 28, 2010 2:29 AM (in response to vickyk)That part of the change is only nice to have but doesn't play any role in the vulnerability fixing.
-
8. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
vickyk Nov 2, 2010 1:32 AM (in response to jfclere)Jean-Frederic Clere wrote:
That part of the change is only nice to have but doesn't play any role in the vulnerability fixing.
So the note attached to this change is wrong
http://svn.apache.org/viewvc?view=revision&revision=958911
Can you point out the change details link, I would like to verify the changes in the Tomcat version source code.
-
9. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
geetadesai Dec 22, 2010 2:21 AM (in response to vickyk)Hi,
The last comment says it is good to have aBut doesn't fix the vulnerability issue. Where can we get the fix for this issue?Can anybody please help me
Thanks ,
Geeta
-
10. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
jfclere Dec 22, 2010 3:07 AM (in response to geetadesai)The issue is fixed by r1497 in jbossweb the part of BufferedInputFilter.java is the minimum you need.
-
11. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
geetadesai Dec 29, 2010 7:43 AM (in response to jfclere)Thanks for the info. Is this the svn location
http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_1_GA
Thnaks,
Geeta
-
12. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
jfclere Jan 4, 2011 3:04 AM (in response to geetadesai) -
13. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
geetadesai Jan 13, 2011 5:49 AM (in response to jfclere)Hi,
Thanks for your response . I took the source from http://anonsvn.jboss.org/repos/jbossweb/tags/JBOSSWEB_2_0_0_GA_CP13/ and built jbossweb.jar and replaced in jboss-web.deployer .But still we see the Vulnerability.Please find below the report
Apache Tomcat Transfer-Encoding Header Vulnerability
Synopsis:
The remote Apache tomcat service is vulnerable to an information disclosure or a denial of service attack.
Description:
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid values for the 'Transfer-Encoding' HTTP header as sent by a client.
Risk factor:
Medium
CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P
See also:
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
See also:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Solution:
Upgrade to version 5.5.30 / 6.0.28 or greater.
Plugin output:
Nessus was able to verify this issue using the following request : GET / HTTP/1.1 Host: 148.147.162.243 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Date: Thu, 13 Jan 2011 06:24:58 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Pragma: no-cache Transfer-Encoding: NESSUS Accept-Language: en Connection: Close
Plugin ID:
47749
CVE:
CVE-2010-2227
BID:
41544
Do I need to do something else also
Thanks,
Geeta
-
14. Re: How to fix Jboss 4.2.3 CVE-2010-2227 vulnerability issue
jfclere Jan 14, 2011 3:57 AM (in response to geetadesai)Well without the answer of jbossas I can't tell if the test nessus is doing makes sense.