Bug 1362735 (CVE-2016-6311) - CVE-2016-6311 EAP7: Internal IP address disclosed on redirect when request header Host field is not set
Summary: CVE-2016-6311 EAP7: Internal IP address disclosed on redirect when request he...
Keywords:
Status: NEW
Alias: CVE-2016-6311
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1362733 1520314
TreeView+ depends on / blocked
 
Reported: 2016-08-03 03:30 UTC by Jason Shepherd
Modified: 2019-11-05 01:06 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that when issuing a GET request which results in a 302 redirect, and when the request header 'Host' field was not set, the response header field 'Location' contains the internal IP address of the server. An attacker could use this disclose information which they are not authorized to access.
Clone Of:
Environment:
Last Closed: 2016-12-15 05:17:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3454 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:48:09 UTC
Red Hat Product Errata RHSA-2017:3455 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:57:25 UTC
Red Hat Product Errata RHSA-2017:3456 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 7.1.0 security update 2017-12-13 22:31:03 UTC
Red Hat Product Errata RHSA-2017:3458 normal SHIPPED_LIVE Important: eap7-jboss-ec2-eap security update 2017-12-13 23:26:13 UTC

Description Jason Shepherd 2016-08-03 03:30:06 UTC
When issuing a GET request which results in a 302 redirect and the request header Host field was not set, the response header field Location contains the internal IP address of the server

The example below can be reproduced by setting the <transport-guarantee>CONFIDENTIAL</transport-guarantee> in the web.xml of any webapp and using the http port to connect.

# telnet www.example.org 80
_Trying 52.52.52.52...
Connected to www.example.org.
Escape character is '^]'._
GET / HTTP/1.0

_HTTP/1.0 302 Found
Connection: close
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=16070400
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Location: https://10.0.0.91:443/
Content-Length: 0
Date: Fri, 29 Jul 2016 11:01:47 GMT_

The problem may be located in the HttpServerExchange class. Here the getHostAndPort() method always returns the local InetAddress if the Host header field wasn't set.

Comment 1 Jason Shepherd 2016-08-03 03:30:23 UTC
Acknowledgments:

Name: Luca Bueti
Upstream: WildFly

Comment 2 Jason Shepherd 2016-08-03 03:31:52 UTC
It's possible to workaround this issue by adding a filter that sets the host header to the default host if the host header is not present.

Comment 5 Jason Shepherd 2016-08-11 00:26:04 UTC
Added to Mojo tracking document for EAP 7

Comment 6 Jason Shepherd 2017-10-11 06:25:08 UTC
Mitigation:

You can add a filter in the JBoss CLI that sets the host header to the 'myvirtualhost.com' if the host header is not present. eg:

/subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host, value=myvirtualhost.com)")
/subsystem=undertow/server=default-server/host=default-host/filter-ref=hostname:add(predicate="not exists(%{i,Host})")

Comment 7 errata-xmlrpc 2017-12-13 17:32:49 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456

Comment 8 errata-xmlrpc 2017-12-13 18:19:40 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454

Comment 9 errata-xmlrpc 2017-12-13 18:41:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7

Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455

Comment 10 errata-xmlrpc 2017-12-13 18:46:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7
  Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6

Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458

Comment 11 orazio Italiano 2019-04-19 15:43:04 UTC
I have run into this Issue with JBOSS EAP v7.0.7 Release and was wondering if this issue has been back Propagated to that Version?   Also I tried to apply the work around of creating the Filter thorough CLI and when i execute that command I get the following error.  Am i typing something wrong or will this workaround not work in EAP v7.0?


[domain@node1:9999 /] /subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host,value=myvirtualhost.com)")
Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [
    ("subsystem" => "undertow"),
    ("configuration" => "filter"),
    ("expression-filter" => "hostname")
]"


Note You need to log in before you can comment on or make changes to this bug.