Bug 1305937 (CVE-2016-0793)
| Summary: | CVE-2016-0793 wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jshepherd, me, osoukup, security-response-team, slong, voora |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
An incomplete-blacklist flaw was found in the blacklisting of URLs in Wildfly. A remote, unauthenticated user could exploit this flaw to expose sensitive files.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-10-21 00:49:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1306470 | ||
| Bug Blocks: | 1305944 | ||
This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on Windows. Users of those versions on Windows are advised to upgrade to 10.0.0.Final. No Versions of JBoss EAP or layered products are affected. Created wildfly tracking bugs for this issue: Affects: fedora-all [bug 1306470] Statement: Only Wildfly application servers running on Windows operating systems are affected; no versions of Red Hat JBoss EAP or layered products are affected. (In reply to Jason Shepherd from comment #5) > This issue effects versions of Wildfly prior to 10.0.0.Final, including > 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on > Windows. Users of those versions on Windows are advised to upgrade to > 10.0.0.Final. > > No Versions of JBoss EAP or layered products are affected. The release notes for 10.0.0 Final or 10.1 has no information on this, can you please point me which bug / enhancement fixed this issue? Thanks (In reply to voora from comment #8) > The release notes for 10.0.0 Final or 10.1 has no information on this, can > you please point me which bug / enhancement fixed this issue? Up. Please write how it has been fixed in WildFly 10. @Andrea:This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users running on Windows. (In reply to Bharti Kundal from comment #10) > @Andrea:This issue effects versions of Wildfly prior to 10.0.0.Final, > including 9.0.2.Final, and 8.2.1.Final. It only effects Wildfly users > running on Windows. @Bharti: Hi, I already read that. What do I mean is: how's this affected only WildFly < 10? From what I understand the bug is inside undertow[1] and that code isn't changed. *I know* this has been effectively fixed in WildFly 10, just wondering *how* it has been mitigated. Thank you [1] https://github.com/undertow-io/undertow/blob/master/servlet/src/main/java/io/undertow/servlet/handlers/ServletInitialHandler.java#L201 |
An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks: if (path.startsWith("/META-INF") || path.startsWith("META-INF") || path.startsWith("/WEB-INF") || path.startsWith("WEB-INF")) { return false; } private boolean isForbiddenPath(String path) { return path.equalsIgnoreCase("/meta-inf/") || path.regionMatches(true, 0, "/web-inf/", 0, "/web-inf/".length()); } which can be bypassed using lower case and adding meaningless character to path.