Update Protection against Sun Java System Application Server HTTP TRACE Vulnerability
| Check Point Reference: | CPAI-2010-102 | |
| Date Published: | ||
| Preemptive Since: | ||
| Severity: | ||
| Source: | Oracle Bug ID: 5063481 | |
| Industry Reference(s): | ||
| Protection Provided by: |
IPS-1
|
|
| Who is Vulnerable? Sun Java System Application Server Standard Edition 7 2004Q2 | ||
| Vulnerability Description Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method which can be leveraged by attackers to gain access to sensitive user information. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. A local or remote unprivileged user may be able to abuse the HTTP TRACE functionality to gain access to sensitive information in HTTP headers when making HTTP requests to Sun Java System Application servers. |
||
|
Update/Patch Available The vendor, Oracle, has released a workaround: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 |
|
|
Vulnerability Details The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. Combined with other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method. |
Protection Overview IPS-1 detects and blocks HTTP requests using the TRACE command.
To configure the defense, select your product from the list below and follow the related protection steps.