More exploits. Sun responds.

Intevydis blog has another exploit or two up today for Sun Java System Web Server.

Yesterday Sun posted an alert regarding the exploits and possible temporary solutions until a patch can be released.

Their solution is to disable WebDAV and all digest authentication.

But what if I use digest authentication? Do I really need to disable it? Possibly not. The HEAD, GET and POST methods do not seem to be affected by the overflow exploits. Therefore if I block all the other methods EXCEPT those three, I should still be able to do digest authentication. Only problem is knowing every other possible method available in Sun’s web server.

Well, maybe you don’t need to know them all. You might try this:

<If $method="(GET|POST|HEAD)"></If><Else>
AuthTrans fn="set-variable" remove-headers="transfer-encoding" set-headers="content-length: -1" error="501"
</Else>

What this does is if the method being handled is GET, POST or HEAD then nothing happens here. But if it’s something else, it gets rejected with a “method not implemented (501)” error. I couldn’t find a logical not wildcard pattern operator in the administrator’s guide (“!=” is a numercial not and will not work on strings), which is why there’s an empty IF block. Hey, it works, and remember it’s only temporary.

So if your a SJSWS person, I hope this helps a little bit.

It makes me wonder if I should ditch SJSWS entirely.

Advertisements

One thought on “More exploits. Sun responds.

  1. Sun released 7.0U8 and 6.1SP12 today to address these vulnerabilities. Given that they were ambushed by these disclosures, I’m fairly impressed with their response time.

    7.0U8: https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-7.0U8-OTH-G-F@CDS-CDS_SMI
    6.1SP12: https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJWS-6.1-SP12-OTH-G-F@CDS-CDS_SMI

    (For the record, you can negate a Web Server wildcard pattern using the *~ prefix. The regular expression mismatch operator, !~, is another option.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s