We have installed the ITPAM application version 4.3 and OpenJDK 1.8.0_265-3 on the production servers and during the vulnerability scan check following vulnerabilities were reported. Vulnerabilities are part of the CWE-16 series of vulnerabilities.

The Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE', resulting in a loss of integrity.

Additional Information- DELETE method found via OPTIONS banner

HTTP DELETE Method Enabled (http-delete-method-enabled)

Description:

The Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE'

resulting in a loss of integrity.

Affected Nodes:

References:

Source Reference

OWASP-2010 A6

OWASP-2013 A5

OWASP-2013 A9

XF http-delete(4253)

Vulnerability Solution:

Apache HTTPD

Disable HTTP DELETE Method for Apache

Disable the DELETE method by including the following in the Apache configuration:

<Limit DELETE>

Order deny,allow

Deny from all

</Limit>

Java System Web Server, SunONE WebServer, Sun-ONE-Web-Server, iPlanet

Disable HTTP DELETE Method for Sun Java System Web Server (or Sun ONE Web Server, iPlanet Web Server, Netscape Enterprise Server)

In the server.xml configuration file, add the following lines to restrict the DELETE method to a particular user(s):

acl "uri=/dir/*";

deny(all)

user="anyone";

allow(read,list,execute,info)

user="all";

allow (read,list,execute,info,write,delete)

user = "username";

Microsoft IIS

Disable HTTP DELETE Method for IIS

Disable the DELETE method by doing the following in the IIS manager

Select relevant site

Select Request filtering and change to HTTP verb tab

Select Deny Verb from the actions pane

Type DELETE into the provided text box and press OK

nginx nginx

Disable HTTP DELETE Method for nginx

Disable the DELETE method by adding the following line to your server block in your config file, you can add other HTTP methods to

be allowed to run after POST

limit_except GET POST { deny all; }

Disable HTTP DELETE method

Disable HTTP DELETE method on your web server. Refer to your web server's instruction manual on how to do this.

Release : 4.3

Component : Process Automation

1. Navigate to installation_dir\server\c2o\deployers\jbossweb.deployer and locate web.xml

2. Take backup of web.xml.

3. Open web.xml and search for <http-method>TRACE</http-method>, add <http-method>OPTIONS</http-method> just below it and save the file. Restart the server.

4. In case of cluster make this change in all nodes and restart them.