Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-211

Undertow mod_cluster proxy does not reject suspicious MCMP messages

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.0.DR6
    • 7.0.0.DR2
    • Undertow
    • Hide
      { echo "CONFIG / HTTP/1.1"; echo "Host: 192.168.0.122:8080"; echo "Content-Length: 95"; echo "User-Agent: notprdel"; echo ""; echo -e "JVMRoute=%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E&Host=192.168.0.122&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10\c"; sleep 1;}

      | telnet 192.168.0.122 8080

      Show
      { echo "CONFIG / HTTP/1.1"; echo "Host: 192.168.0.122:8080"; echo "Content-Length: 95"; echo "User-Agent: notprdel"; echo ""; echo -e "JVMRoute=%3Cscript%3Ealert(%27X%27)%3B%3C%2Fscript%3E&Host=192.168.0.122&Maxattempts=1&Port=8009&StickySessionForce=No&Type=ajp&ping=10\c"; sleep 1;} | telnet 192.168.0.122 8080

      The MCMP processing must reject all weird, malformed and outright malicious MCMP messages. Any negligence here could lead to something like MODCLUSTER-453 a.k.a. CVE-2015-0298 in future.

      For instance, messages containing a valid JavaScript code, shouldn't be accepted:

      17:12:11,797 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: JVMRoute, value: <script>alert('X');</script>
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Host, value: 192.168.0.122
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Maxattempts, value: 1
17:12:11,798 DEBUG [io.undertow] (default task-1) UT005054: MCMP processing, key: Port, value: 800
17:12:11,799 DEBUG [io.undertow] (default task-1) UT005049: NodeConfig created: connectionURI: http://192.168.0.122:800/?#, balancer: mycluster, domain: null, jvmRoute: <script>alert('X');</script>, flushPackets: false, flushwait: 10, ping: 10000,ttl: 0, timeout: 0, maxConnections: 16, cacheConnections: 5, requestQueueSize: 10, queueNewRequests: true
17:12:11,799 DEBUG [io.undertow] (default task-1) UT005038: Balancer created: id: 1, name: mycluster, stickySession: true, stickySessionCookie: JSESSIONID, stickySessionPath: jsessionid, stickySessionRemove: false, stickySessionForce: true, waitWorker: 0, maxattempts: 1
17:12:11,803 INFO  [io.undertow] (default task-1) UT005053: Registering node <script>alert('X');</script>, connection: http://192.168.0.122:800/?#

              sdouglas1@redhat.com Stuart Douglas (Inactive)
              mbabacek1@redhat.com Karm Karm
              Karm Karm Karm Karm
              Karm Karm Karm Karm
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: