DX Application Performance Management

Community,

Has anyone contended with the CVE-2000-0649 NIST finding, if so, how did you resolve this issue?

Part of our contractual requirements, we have to run NIST scans across all servers and the scan picked up a security finding.

   Nessus Plugin ID 10759

   CVE-2000-0649

https://www.tenable.com/plugins/nessus/10759
https://www.tenable.com/cve/CVE-2000-0649

Bug 405188 - HTTP 1.0 with GET returns internal IP address
https://bugs.eclipse.org/bugs/show_bug.cgi?id=405188

Reviewing the various resources and knowing that it is a Jetty web server, found the following link:
http://jetty.4.x6.nabble.com/jetty-users-NAT-with-HTTP-1-0-returns-internal-IP-address-td4960322.html

CA Support Case: 01337425

In CA APM 10.5.2, it was using Jetty 6.1.26 and in CA APM 10.7 sp3 has Jetty 9.4.11.  We upgraded, had the APM scanned again and the issue was still present.

If you have this issue, and upgrade, don't forget to clear all of the EM's caches (<emhome>/work, <emhome>/product/enterprisemanager/configuration (don't delete the config.ini), <emhome>/product/webview/configuration (don't delete the config.ini)

Thank you,

Billy

Dear Billy:

I will send you Engineer's suggestion later today. You can find some help in https://wiki.cryptshare.com/display/CKB/The+internal+IP+address+is+revealed+in+HTTP1.0'

Thanks

Hal German

Thanks Hal.

The solution was an additional jetty section in the em-jetty-config.xml and the webview-jetty-config.xml files

<New class="org.eclipse.jetty.server.HttpConnectionFactory">
    <Arg name="config">
        <New class="org.eclipse.jetty.server.HttpConfiguration">
            <Set name="secureScheme">https</Set>
            <Set name="requestHeaderSize">16384</Set>
            <Set name="sendServerVersion">false</Set>

  <!-- 20190422 Support Case 01337425 -->
            <Call name="addCustomizer">
                <Arg>
                    <New class="org.eclipse.jetty.server.SecureRequestCustomizer" />
                </Arg>
            </Call>
            <Call name="addCustomizer">
                <Arg>
                    <Ref refid="hostHeaderCustomizer" />
                </Arg>
            </Call>

        </New>

<!-- 20190422 Support Case 01337425 -->

    </Arg>
</New>

Review the different sections within the jetty-config.xml files, since it contains the secure and non-secure ports.  Double check your ports that you have set in your EM configuration (default : 8081), if you have changed it, reflect that change in the em-jetty-config.xml file.

In order to activate the two jetty files, you have to modify the IntroscopeEnterpriseManager.properties and the IntroscopeWebView.properties files to uncomment the jetty configuration lines.

           introscope.enterprisemanager.webserver.jetty.configurationFile=em-jetty-config.xml

           introscope.webview.jetty.configurationFile=webview-jetty-config.xml

Restart the APM cluster.

We customized the index.jsp file to not have any redirects so the issue did not appear on our collectors, but by default, this issue might appear on the out of the box index.jsp under <em home>/product\enterprisemanager\plugins\com.wily.introscope.workstation.webstart_10.5.2\WebContent

If you do get this issue on the collectors, my best guess is that you would need to enable the em-jetty-config.xml, add the additional section, review the ports to clear the issue.

Another issue, was after we upgraded from 10.5.2.99 to 10.7.0.197 sp3, we had to shut down the EMs and clear the <em>/work, <em>/product/enterprisemanager/configuration (excluding the config.ini), and the <em>/product/webview/configuration (excluding the config.ini), in order to clear the jetty.jar from cache.

Hope this helps,

Billy