When issuing a GET request which results in a 302 redirect and the request header Host field was not set, the response header field Location contains the internal IP address of the server The example below can be reproduced by setting the <transport-guarantee>CONFIDENTIAL</transport-guarantee> in the web.xml of any webapp and using the http port to connect. # telnet www.example.org 80 _Trying 52.52.52.52... Connected to www.example.org. Escape character is '^]'._ GET / HTTP/1.0 _HTTP/1.0 302 Found Connection: close X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=16070400 X-Content-Type-Options: nosniff X-Frame-Options: DENY Location: https://10.0.0.91:443/ Content-Length: 0 Date: Fri, 29 Jul 2016 11:01:47 GMT_ The problem may be located in the HttpServerExchange class. Here the getHostAndPort() method always returns the local InetAddress if the Host header field wasn't set.
Acknowledgments: Name: Luca Bueti Upstream: WildFly
It's possible to workaround this issue by adding a filter that sets the host header to the default host if the host header is not present.
Added to Mojo tracking document for EAP 7
Mitigation: You can add a filter in the JBoss CLI that sets the host header to the 'myvirtualhost.com' if the host header is not present. eg: /subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host, value=myvirtualhost.com)") /subsystem=undertow/server=default-server/host=default-host/filter-ref=hostname:add(predicate="not exists(%{i,Host})")
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2017:3456 https://access.redhat.com/errata/RHSA-2017:3456
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3454 https://access.redhat.com/errata/RHSA-2017:3454
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2017:3455 https://access.redhat.com/errata/RHSA-2017:3455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2017:3458 https://access.redhat.com/errata/RHSA-2017:3458
I have run into this Issue with JBOSS EAP v7.0.7 Release and was wondering if this issue has been back Propagated to that Version? Also I tried to apply the work around of creating the Filter thorough CLI and when i execute that command I get the following error. Am i typing something wrong or will this workaround not work in EAP v7.0? [domain@node1:9999 /] /subsystem=undertow/configuration=filter/expression-filter=hostname:add(expression="header(header=Host,value=myvirtualhost.com)") Failed to get the list of the operation properties: "WFLYCTL0030: No resource definition is registered for address [ ("subsystem" => "undertow"), ("configuration" => "filter"), ("expression-filter" => "hostname") ]"
Fixed, see https://access.redhat.com/security/cve/CVE-2016-6311 for more information.