[jira] [Commented] (AMQ-5852) DISABLE TRACE/TRACK

ZAGOTSIS SERGIOS (JIRA) Mon, 29 Jun 2015 22:12:00 -0700

    [ 
https://issues.apache.org/jira/browse/AMQ-5852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14607507#comment-14607507
 ]


ZAGOTSIS SERGIOS commented on AMQ-5852:
---------------------------------------

Hi,

I am referring to CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 vulnerabilities.

Here is the PCI finding and the proposed solution that audit dept gave to us:
-----------------------------------------------------------------------------
The remote Web server supports the TRACE and/or TRACK HTTP methods, which makes 
it easier for remote attackers to steal cookies and
authentication credentials or bypass the HttpOnly protection mechanism.

Track / Trace are required to be disabled to be PCI compliance.

IMPACT:
If this vulnerability is successfully exploited, attackers can potentially 
steal cookies and authentication credentials, or bypass the HttpOnly protection
mechanism.

SOLUTION:
Disable these methods in your web server's configuration file."

$telnet localhost 61614

TRACE / HTTP/1.1
Host: localhost:61614
HTTP/1.1 200 OK
Content-Type: message/http
Content-Length: 115
Server: Jetty(7.6.9.v20130131)
-----------------------------------------------------------------------------

In activemq.xml file there is the following transformconnector definition:

            <transportConnector name="ws" 
uri="ws://0.0.0.0:61614?maximumConnections=1000&amp;wireFormat.maxFrameSize=104857600"/>


So I need a way/solution to disable TRACK and TRACE methods that are activated 
on port 61614. So that the above telnet command does not returns 200 OK result
I hope that now everything is clear?

Installed OS is Redhat 6.5 and RedHat 7.
Installed activemq version is 5.9.0
Installed java version is jdk1.7.0_67
Installed tomcat version is 7.0.42

Regards



> DISABLE TRACE/TRACK 
> --------------------
>
>                 Key: AMQ-5852
>                 URL: https://issues.apache.org/jira/browse/AMQ-5852
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.9.0
>         Environment: RedHat 6.5 & Redhat 7
>            Reporter: ZAGOTSIS SERGIOS
>
> Hi, 
> According to PCI stress test I heed :
> 1. to disable TRACE and TRACK Method on 61614 port.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (AMQ-5852) DISABLE TRACE/TRACK

Reply via email to