Bug 1362735 (CVE-2016-6311)
| Summary: | CVE-2016-6311 EAP7: Internal IP address disclosed on redirect when request header Host field is not set | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, bbaranow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, jawilson, jshepherd, lakagwu, lgao, myarboro, orazio.italiano, phagerma, pslavice, rnetuka, rsvoboda, twalsh, vtunka |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
It was found that when issuing a GET request which results in a 302 redirect, and when the request header 'Host' field was not set, the response header field 'Location' contains the internal IP address of the server. An attacker could use this disclose information which they are not authorized to access.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-11 05:21:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1362733, 1520314 | ||
|
Description
Jason Shepherd
2016-08-03 03:30:06 UTC
Acknowledgments: Name: Luca Bueti Upstream: WildFly It's possible to workaround this issue by adding a filter that sets the host header to the default host if the host header is not present. Added to Mojo tracking document for EAP 7 Mitigation:
You can add a filter in the JBoss CLI that sets the host header to the 'myvirtualhost.com' if the host header is not present. eg:
/subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host, value=myvirtualhost.com)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hostname:add(predicate="not exists(%{i,Host})")
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458 I have run into this Issue with JBOSS EAP v7.0.7 Release and was wondering if this issue has been back Propagated to that Version? Also I tried to apply the work around of creating the Filter thorough CLI and when i execute that command I get the following error. Am i typing something wrong or will this workaround not work in EAP v7.0?
[domain@node1:9999 /] /subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host,value=myvirtualhost.com)")
Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
("subsystem" => "undertow"),
("configuration" => "filter"),
("expression-filter" => "hostname")
]"
Fixed, see https://access.redhat.com/security/cve/CVE-2016-6311 for more information. |