Sun removes vulnerabilities in Java web servers and proxies
Sun has issued an advisory about a bug in several of its server products that makes them susceptible to HTTP Request Smuggling attacks (HRS). Attackers can use them to remotely manipulate the content of web caches (known as web cache poisoning) or to deceive firewalls and intrusion detection/prevention systems and hijack HTTP sessions. A cross-site scripting (XSS) attack is also possible.
The problem only occurs if the Sun Java System Proxy Server is used in combination with the Java System Application Server or the Sun Java System Web Server. The systems sometimes parse contradictory or inconsistent request entries in different ways. Hence the systems might evaluate several content length headers from identical queries in different ways.
Software vendor Watchfire noted this problem in the middle of last year in a whitepaper on HRS, specifically mentioning SunOne Proxy and SunOne Webserver. Sun also references that whitepaper in its bug advisory. What remains unclear is whether Sun only noticed the problem a year and a half later, or whether the bug took that long to repair.
The newly released updates eliminate the problem in Sun Java System Web Server, Sun Java System Application Server, Sun ONE Application Server and Sun Java System Web Proxy Server. The precise versions involved are provided in the original bug advisory.
- Security Vulnerability With HTTP Requests in Sun Java System Server(s), bug advisory from Sun
(trk)