Why does OpenVAS report CVE-2003-0042 when my server isn’t running Tomcat?

Update: the plugin that was producing the false positive has been removed and the vulnerability rolled into plugin OID 1.3.6.1.4.1.25623.1.0.53322.  Thanks to Micha (Michael Meyer) and the rest of the developer team for addressing this problem so promptly!

(Also posted here.)

OpenVAS reports that an Apache virtual host is vulnerable to CVE-2003-0042, which is a vulnerability in versions of Tomcat prior to 3.3.1a. The host is not running Tomcat.

The detection OID is 1.3.6.1.4.1.25623.1.0.11438.

Why is this vulnerability detected and how can I fix it? Is it a false positive?

***

Yes, it may be a false positive.

CVE-2003-0042 was caused when a GET request contained an embedded nul character, and made it possible to list directories that should not be listable and to obtain source code for JSP files. The OpenVAS test for this vulnerability sends a request for the site’s home page, and if this does not produce a directory listing, it sends another request containing an embedded nul. If the malformed request returns a directory listing when the original request did not, the site is assumed to be vulnerable.

However, modern versions of Apache respond to the nul character in the malformed GET request by discarding the remainder of the line. This includes the information about which virtual host the request is for, so the request is parsed in the context of the default virtual host.

As a result, if the home page of the default virtual host generates a directory listing but the home page of the virtual host being scanned does not, a false positive for CVE-2003-0042 is generated.

This false positive can be prevented by placing an index.html file on the home page of the default virtual host, so that a directory listing is not generated.

Advertisements

Tags:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: