nexus-public icon indicating copy to clipboard operation
nexus-public copied to clipboard

Published 20 hours ago verified publisher icon sonatype

Jetty web server has TRACE and OPTIONS methods enabled displayed as a warning in vulnerability scanners

Open TylerDurden2019 opened this issue 10 months ago • 1 comments

Using a vulnerablity scanner to scan a system running Nexus version 3.67.1-01 or lower will pick up two issues.

  1. HTTP TRACE Method Enabled
ID 	http-trace-method-enabled 	Published 	Nov 1, 2004 	
Severity 	Severe (6) 	Added 	Nov 1, 2004 	
Risk Score 	696 	Modified 	Feb 13, 2015
CVSS 	(AV:N/AC:M/Au:N/C:P/I:P/A:N) 	CVSS Score 	5.8
	
Exploitability 	
Categories 	HTTP IAVM Web XSS
CVEs 	CVE-2004-2320 CVE-2004-2763 CVE-2005-3398 CVE-2006-4683 CVE-2007-3008 CVE-2008-7253 CVE-2009-2823 CVE-2010-0386

The HTTP TRACE method is normally used to return the full HTTP request back to the requesting client for proxy-debugging purposes. An attacker can create a webpage using XMLHTTP, ActiveX, or XMLDOM to cause a client to issue a TRACE request and capture the client's cookies. This effectively results in a Cross-Site Scripting attack.
  1. HTTP OPTIONS Method Enabled
ID 	http-options-method-enabled 	Published 	Oct 7, 2005 	
Severity 	Moderate (3) 	Added 	Aug 28, 2018 	
Risk Score 	586 	Modified 	Jan 15, 2019
CVSS 	(AV:N/AC:H/Au:N/C:P/I:N/A:N) 	CVSS Score 	2.6
	
Exploitability 	
Categories 	HTTP Web
CVEs 	

Web servers that respond to the OPTIONS HTTP method expose what other methods are supported by the web server, allowing attackers to narrow and intensify their efforts.

I appended the following to the file nexus-3.67.1-01\etc\jetty\nexus-web.xml before the </web-app> tag at the end of the file.

<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>OPTIONS</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>
<security-constraint>
  <web-resource-collection>
    <web-resource-name>restricted methods</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>TRACE</http-method>
  </web-resource-collection>
  <auth-constraint/>
</security-constraint>

</web-app>

This will disable the TRACE and OPTIONS methods. Can this be added to the next build?

TylerDurden2019 avatar May 03 '24 07:05 TylerDurden2019