Security Vulnerability With The HTTP TRACE Functionality in Sun Java System Application Server |
|
| Category : | Security |
| Release Phase : | Resolved |
| Bug Id : | 5063481
|
| Date of Resolved Release : | 03-NOV-2004
|
| Product : | Sun Java System Application Server Standard Edition 7 2004Q2
|
A local or remote unprivileged user may be able to abuse the HTTP TRACE functionality to gain access to sensitive information in HTTP headers when making HTTP requests to Sun Java System Application servers.
This issue is described in the CERT Vulnerability VU#867593 (see: http://www.kb.cert.org/vuls/id/867593).
Contributing Factors
This issue can occur in the following releases:
-
Sun Java System Application Server Standard Edition 7 and later updates
-
Sun Java System Application Server Standard Edition 7 2004Q2 and later updates
-
Sun Java System Application Server Platform Edition 7 and later updates
Symptoms
There are no reliable symptoms that would indicate the described issue has been exploited.
Workaround
The described issue is not a defect of the Sun Java System Application Server 7 or Sun Java System Application Server 7 2004Q2 releases. However, the following recommendation is provided to avoid this issue.
Disable HTTP TRACE support for Sun Java System Application Server 7 and Sun Java System Application Server 7 2004Q2 as follows:
Add the following to the top of the default object in <server-instance>-obj.conf :
<Client method="TRACE">
AuthTrans fn="set-variable" remove-headers="transfer-encoding"
set-headers="content-length: -1" error="501"
</Client>
Restart the Application server.
Resolution
The workaround provided above in the "Relief/Workaround" section is the final resolution to this issue.
AttachmentsThis solution has no attachment
|
Subscribe |
Careers |
Contact Us |
Site Maps |
Legal Notices |
Terms of Use |
Your Privacy Rights |
Sun Contracted Content
Sun Contracted Feature
