Posts Tagged ‘security workaround openvas’

Why does OpenVAS report CVE-2003-0042 when my server isn’t running Tomcat?

August 18, 2014

Update: the plugin that was producing the false positive has been removed and the vulnerability rolled into plugin OID 1.3.6.1.4.1.25623.1.0.53322.  Thanks to Micha (Michael Meyer) and the rest of the developer team for addressing this problem so promptly!

(Also posted here.)

OpenVAS reports that an Apache virtual host is vulnerable to CVE-2003-0042, which is a vulnerability in versions of Tomcat prior to 3.3.1a. The host is not running Tomcat.

The detection OID is 1.3.6.1.4.1.25623.1.0.11438.

Why is this vulnerability detected and how can I fix it? Is it a false positive?

***

Yes, it may be a false positive.

CVE-2003-0042 was caused when a GET request contained an embedded nul character, and made it possible to list directories that should not be listable and to obtain source code for JSP files. The OpenVAS test for this vulnerability sends a request for the site’s home page, and if this does not produce a directory listing, it sends another request containing an embedded nul. If the malformed request returns a directory listing when the original request did not, the site is assumed to be vulnerable.

However, modern versions of Apache respond to the nul character in the malformed GET request by discarding the remainder of the line. This includes the information about which virtual host the request is for, so the request is parsed in the context of the default virtual host.

As a result, if the home page of the default virtual host generates a directory listing but the home page of the virtual host being scanned does not, a false positive for CVE-2003-0042 is generated.

This false positive can be prevented by placing an index.html file on the home page of the default virtual host, so that a directory listing is not generated.

Advertisements