Check Point Advisories

Update Protection against Sun Java System Application Server HTTP TRACE Vulnerability

Check Point Reference: CPAI-2010-102
Date Published: 1 Feb 2010
Severity: High
Last Updated: Friday 01 January, 2010
Source: Oracle Bug ID: 5063481  
Industry Reference:

CVE-2010-0386
US-CERT VU#867593

Protection Provided by:
Who is Vulnerable? Sun Java System Application Server Standard Edition 7 2004Q2 
Vulnerability Description Sun Java System Application Server 7 and 7 2004Q2 enables the HTTP TRACE method which can be leveraged by attackers to gain access to sensitive user information. The HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. A local or remote unprivileged user may be able to abuse the HTTP TRACE functionality to gain access to sensitive information in HTTP headers when making HTTP requests to Sun Java System Application servers.
Update/Patch AvaliableThe vendor, Oracle, has released a workaround:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-200942-1 
Vulnerability DetailsThe HTTP TRACE method returns the contents of client HTTP requests in the entity-body of the TRACE response. Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data. Combined with other cross-domain vulnerabilities in web browsers, sensitive header information could be read from any domains that support the HTTP TRACE method.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK