WASP VULNERABILITY:CWE-16_CWE-538_CWE-693

Document ID : KB000122887
Last Modified Date : 29/01/2019
Show Technical Document Details
Introduction:
Below Vulnerability were found during the assessment, Windows server - CA UIM 8.5.1

1
Apache JServ protocol service
The Apache JServ Protocol (AJP) is a binary protocol that can proxy inbound requests from a web server through to an application server that sits behind the web server. It's not recommended to have AJP services publicly accessible on the internet. If AJP is misconfigured it could allow an attacker to access to internal resources.

Restrict access to this service on production systems.
https://vpic481s0121.petronas.petronet.dir:8443/
https://vpic481s0123.petronas.petronet.dir:8443

2
Development configuration file
A configuration file (e.g. Vagrantfile, Gemfile, Rakefile, ...) was found in this directory. This file may expose sensitive information that could help a malicious user to prepare more advanced attacks. It's recommended to remove or restrict access to this type of files from production systems.

Remove or restrict access to all configuration files acessible from internet.
https://vpic481s0123.petronas.petronet.dir:8443/adminconsoleapp/package.json

3
Slow HTTP Denial of Service Attack
Slowloris and Slow HTTP POST DoS attacks rely on the fact that the HTTP protocol, by design, requires requests to be completely received by the server before they are processed. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.

Consult Web references for information about protecting your web server against this type of attack.
https://vpic481s0121.petronas.petronet.dir:8443/
https://vpic481s0123.petronas.petronet.dir:8443/

4
Clickjacking: X-Frame-Options header missing
The server didn't return an X-Frame-Options header which means that this website could be at risk of a clickjacking attack. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Configure your web server to include an X-Frame-Options header.
https://vpic481s0123.petronas.petronet.dir:8443/
Question:
1) Apache JServ protocol service ---- CWE-16

Comments:
This is not a fix we can give to restrict the access. This all about how we deploy our systems. System administrators are advised to monitor critical systems for signs of suspicious activity and restrict network access to vulnerable systems.

Below is an example how an administrator can do that.
Do configure change in context.xml file in the path ...\Nimsoft\probes\service\wasp\conf (if the file not exists, create a file with the name context.xml and update the file with the below content). After doing this change , you have to restart wasp of UIM or UMP servers where ever you have changed.

<?xml version='1.0' encoding='utf-8'?>
<Context>
<Manager pathname="" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1|10\.20\.108\.255|10\.10\.177\.135"/>
</Context>

In the above content, we are allowing only localhost and few ip addresses provided above to access UIM or UMP URLS . ( context.xml file can be updated both in UIM or UMP servers , where you do this configuration change , that URL will get restrticted ). if you try to access the UIM/UMP urls from any other ip address not mentioned above, they are restricting that and you will get error after hitting the UIM/UMP urls.
To do more configurattion changes in the context.xml file , you can follow the link here https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html , refer the section "Remote Address Filter". You can give the properties like allow, deny , hostname , port etc.. in the file


2) Development configuration file ---- CWE-538

Comments: Handled in hot fix

3) Slow HTTP Denial of Service Attack --- N/A

Comments:
Tomcat have mentioned that it is not a vulnerability in Tomcat. This is a generic DoS problem and there is no solution from Tomcat and they don't have the plans to to fix it. To prevent it, use firewall rules to prevent too many connections from a single host.
Please check the link below.
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat

4) Clickjacking: X-Frame-Options header missing --- CWE-693

Comments: Handled in hot fix
Environment:
WASP 8.5.1
Answer:
adminconsole-8.5.1-HF2 should be provided
Follow the below steps to apply

- Deactivate wasp.
- Backup the existing adminconsoleapp package in archive.
- Delete the contents of ..\Nimsoft\probes\service\wasp\work folder.
- Take the backup of ..\Nimsoft\probes\service\wasp\webapps\adminconsoleapp folder.
- Delete adminconsoleapp folder from the path ..\Nimsoft\probes\service\wasp\webapps
- import hotfix package to archive.
- deploy to server on which admin console application is running
- Activate wasp.
- clear browser cache