__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN HTTP Requests in Sun Java System Server(s) [Sun Alert ID: 102733] December 1, 2006 17:00 GMT Number R-061 [REVISED 1 Mar 2007] ______________________________________________________________________________ PROBLEM: If the Sun Java System Proxy Server is used in conjunction with the Sun Java System Application Server or the Sun Java System Web Server then it may be susceptible to "HTTP Request Smuggling" (HRS) which can allow remote unprivileged users to be able to poison web caches, hijack sessions, perform cross-site scripting (CSS or XSS) attacks or bypass web application firewall protection. PLATFORM: Sun Java System Web Server 6.0 Service Pack 10 Sun Java System Application Server Platform Edition 8.1 2005Q1 Sun ONE Application Server 7 Enterprise Edition Sun ONE Application Server 7 Standard Edition Sun Java System Application Server Platform Edition 8.1 2005Q1 Update Release 1 Sun Java System Web Proxy Server 4.0 Sun Java System Web Server 6.1 Sun Java System Application Server Enterprise Edition 8.1 2005Q1 Sun Java System Web Proxy Server 3.6 DAMAGE: Can allow remote unprivileged users to be able to poison web caches, hijack sessions, perform cross-site scripting (CSS or XSS) attacks or bypass web application firewall protection. SOLUTION: Apply current patches. ______________________________________________________________________________ VULNERABILITY The risk is LOW. May allow escalation of privileges through ASSESSMENT: hijacked sessions. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-061.shtml ORIGINAL BULLETIN: http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102733-1&searchclause=%22category:security%22%2420%22availability,%2420security%22%2420category:security ______________________________________________________________________________ REVISION HISTORY: 03/01/2007 - revised R-061 to reflect changes Sun has made in Sun Alert ID: 102733 where they Updated Contributing Factors and Resolution Sections. [***** Start Sun Alert ID: 102733 *****] Document Audience: PUBLIC Document ID: 102733 Title: Security Vulnerability With HTTP Requests in Sun Java System Server(s) Copyright Notice: Copyright © 2006 Sun Microsystems, Inc. All Rights Reserved Update Date: Thu Nov 30 00:00:00 MST 2006 Status Issued Description Top Sun(sm) Alert Notification * Sun Alert ID: 102733 * Synopsis: Security Vulnerability With HTTP Requests in Sun Java System Server(s) * Category: Security * Product: Sun Java System Web Server 6.0 Service Pack 10, Sun Java System Application Server Platform Edition 8.1 2005Q1, Sun ONE Application Server 7, Enterprise Edition, Sun ONE Application Server 7, Standard Edition, Sun Java System Application Server Platform Edition 8.1 2005Q1 Update Release 1, Sun Java System Web Proxy Server 4.0, Sun Java System Web Server 6.1, Sun Java System Application Server Enterprise Edition 8.1 2005Q1, Sun Java System Web Proxy Server 3.6 * BugIDs: 6300506, 6300510, 6289242, 6285847, 6286541, 6285724, 6286783 * Avoidance: Patch * State: Resolved * Date Released: 30-Nov-2006 * Date Closed: 30-Nov-2006 * Date Modified: 26-Feb 2007 1. Impact If the Sun Java System Proxy Server is used in conjunction with the Sun Java System Application Server or the Sun Java System Web Server then it may be susceptible to "HTTP Request Smuggling" (HRS) which can allow remote unprivileged users to be able to poison web caches, hijack sessions, perform cross-site scripting (CSS or XSS) attacks or bypass web application firewall protection. Further information about HRS can be found at https://www.watchfire.com/securearea/whitepapers.aspx?id=12. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform Sun Java System Proxy Server 3.6 without Service Pack 8 Sun Java System Proxy Server 4.0 without Service Pack 1 Sun Java System Web Server 6.0 without Service Pack 10 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 Sun ONE Application Server 7 without Update 8 Sun Java System Application Server 7 2004Q2 without Update 4 Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119169-02 or (SVR4) patch 119166-09 Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119173-01 x86 Platform Sun Java System Proxy Server 4.0 without Service Pack 1 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 Sun ONE Application Server 7 without Update 8 Sun Java System Application Server 7 2004Q2 without Update 4 Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119170-02 or (SVR4) patch 119167-09 Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119174-01 Linux Platform Sun Java System Proxy Server 4.0 without Service Pack 1 Sun Java System Web Server 6.0 without Service Pack 10 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 Sun ONE Application Server 7 without Update 8 Sun Java System Application Server 7 2004Q2 without Update 4 Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file-based) patch 119171-02 or (Pkg) patch 119168-09 Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file-based) patch 119175-01 AIX Platform Sun Java System Proxy Server 3.6 without Service Pack 8 Sun Java System Web Server 6.0 without Service Pack 10 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 HP-UX Sun Java System Proxy Server 3.6 without Service Pack 8 Sun Java System Web Server 6.0 without Service Pack 10 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (native) patch 121514-01 Windows Platform Sun Java System Proxy Server 3.6 without Service Pack 8 Sun Java System Proxy Server 4.0 without Service Pack 1 Sun Java System Web Server 6.0 without Service Pack 10 Sun Java System Web Server 6.1 2005Q1 without Service Pack 5 Sun ONE Application Server 7 without Update 8 Sun Java System Application Server 7 2004Q2 without Update 4 Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 without (file based) patch 119172-07 or (native) patch 121528-01 Sun Java System Application Server Platform Edition 8.1 2005 Q1 without (file based) patch 119176-01 To determine the version of Sun Java System Application Server on a system, the following command can be run: $ /bin/asadmin version --verbose Sun Java System Application Server 7 2004Q2UR3 (build A051525-273129) (Where is the installation directory of the Application Server). To determine the version of Sun Java System Web Server on a system, the following command can be run: $ /https-/start -version (Where is top installation directory of Web Server and should be the actual host name on which the Web Server is installed). To determine the version of Sun Java System Proxy Server on a system, the following command can be run: $ /bin/ns-proxy -v (Where is the installation directory of the Proxy Server). 3. Symptoms There are no reliable symptoms that would indicate the described issue has been exploited. Solution Summary Top 4. Relief/Workaround There is no workaround for this issue. Please see the Resolution section below. 5. Resolution This issue is addressed in the following releases: SPARC Platform Sun Java System Proxy Server 3.6 Service Pack 8 or later Sun Java System Proxy Server 4.0 Service Pack 1 or later Sun Java System Web Server 6.0 Service Pack 10 or later Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later Sun ONE Application Server 7 Update 8 or later Sun Java System Application Server 7 2004Q2 Update 4 or later Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119169-02 or (SVR4) patch 119166-09 or later Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119173-01 or later x86 Platform Sun Java System Proxy Server 4.0 with Service Pack 1 or later Sun Java System Web Server 6.1 2005Q1 with Service Pack 5 or later Sun ONE Application Server 7 with Update 8 or later Sun Java System Application Server 7 2004Q2 with Update 4 or later Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119170-02 or (SVR4) patch 119167-09 or later Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119174-01 or later Linux Platform Sun Java System Proxy Server 4.0 with Service Pack 1 or later Sun Java System Web Server 6.0 with Service Pack 10 or later Sun Java System Web Server 6.1 2005Q1 with Service Pack 5 or later Sun ONE Application Server 7 with Update 8 or later Sun Java System Application Server 7 2004Q2 with Update 4 or later Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file-based) patch 119171-02 or (Pkg) patch 119168-09 or later Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file-based) patch 119175-01 or later AIX Platform Sun Java System Proxy Server 3.6 with Service Pack 8 or later Sun Java System Web Server 6.0 with Service Pack 10 or later Sun Java System Web Server 6.1 2005Q1 with Service Pack 5 or later HP-UX Platform Sun Java System Proxy Server 3.6 with Service Pack 8 or later Sun Java System Web Server 6.0 with Service Pack 10 or later Sun Java System Web Server 6.1 2005Q1 with Service Pack 5 or later Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (native) patch 121514-01 or later Windows Platform Sun Java System Proxy Server 3.6 with Service Pack 8 or later Sun Java System Proxy Server 4.0 with Service Pack 1 or later Sun Java System Web Server 6.0 with Service Pack 10 or later Sun Java System Web Server 6.1 2005Q1 with Service Pack 5 or later Sun ONE Application Server 7 with Update 8 or later Sun Java System Application Server 7 2004Q2 with Update 4 or later Sun Java System Application Server Enterprise Edition 8.1 2005 Q1 with (file based) patch 119172-07 or (native) patch 121528-01 or later Sun Java System Application Server Platform Edition 8.1 2005 Q1 with (file based) patch 119176-01 or later Sun Java System Proxy Server 3.6 Service Pack 8 or later is available at: http://www.sun.com/download/products.xml?id=42fa5c49 Sun Java System Proxy Server 4.0 Service Pack 1 or later is available at: http://www.sun.com/download/products.xml?id=4384b5dd Sun Java System Web Server 6.0 Service Pack 10 or later is available at: http://www.sun.com/download/products.xml?id=43a84f89 Sun Java System Web Server 6.1 2005Q1 Service Pack 5 or later is available at: http://www.sun.com/download/products.xml?id=434aec1d http://www.sun.com/download/products.xml?id=43c43041 (International Edition) Sun ONE Application Server 7 Update 8 or later is available at: http://www.sun.com/download/products.xml?id=438cfb75 (Platform Edition) http://www.sun.com/download/products.xml?id=438cf33d (Standard Edition) Sun Java System Application Server 7 2004Q2 Update 4 or later is available at: http://www.sun.com/download/products.xml?id=4331ff42 (Standard Edition) http://javashoplm.sun.com/ECom/docs/Welcome.jsp?StoreId=8&PartDetailId=SJAS72004Q2U4-EE-OTH-G-ES (Enterprise Edition) Change History 26-Feb-2007: Updated Contributing Factors and Resolution sections This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 102733 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-052: NetGear WG111v2 Wireless Driver Long Beacon Overflow R-053: gv R-054: NaviCOPA Web Server Vulnerability R-055: Linux-ftpd Programming Error R-056: pstotext Insecure File Name Quoting R-057: Apple Security Update 2006-007 R-058: Potential vulnerabilities in Adobe Reader and Acrobat R-059: texinfo Buffer Overflow R-060: libgsf Buffer Overflow