Java (Java Agent, Installation, JVM, and Controller Installation)

cancel
Showing results for 
Search instead for 
Did you mean: 

Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Explorer

Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Hi

 

We are gearing up to be audited for PCI. How can I achieve the above result so that we can get a clean scan on our servers?

 

Here is more info:

TCP Port 9091

 

[root@01 ~]# netstat -putan | egrep "9091"
tcp        0      0 :::9091                     :::*                        LISTEN      2318/java

[root@01 ~]# ps aux | grep 2318
root       555  0.0  0.0 103320   844 pts/0    R+   14:42   0:00 grep 2318
root      2318  0.1  4.1 7854504 336264 ?      Sl   Feb10 151:56 /opt/appdynamics/machine-agent/jre/bin/java -Dlog4j.configuration=file:/opt/appdynamics/machine-agent/conf/logging/log4j.xml -jar /opt/appdynamics/machine-agent/machineagent.jar

 

[root@01 ~]# /opt/appdynamics/machine-agent/jre/bin/java -version
java version "1.8.0_74"
Java(TM) SE Runtime Environment (build 1.8.0_74-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)

 

Thanks

 

Kobus

Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
5 REPLIES 5
AppDynamics Team

Re: Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Hi Kobus,


Is this vulenaribility discovered on an AppDynamics Contoller endpoint? If so could you please share the endpoint URL?

Machine Agent is not a web server, so I do not see the connection.


Regards,
Saradhi

Explorer

Re: Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Hi

 

Thank you fo rthe reply.

 

In answer:

Well it is on one, and only one of our servers. It is not on an endpoint, just a normal server with the client installed.

 

So yes, I dont understand that either. I might just reinstall the client and see what happens.

 

Kobus

AppDynamics Team

Re: Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Hi Kobus,

Machine agent runs as a standalone java program. If there is any other
webserver installed on the same server as machine agent you might want to
check that web server.

Regards,
Saradhi
Explorer

Re: Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

Well, there is, but the other webservers does not have this port 9091 open. Just this one process as I listed in my original post.

AppDynamics Team

Re: Disable Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability

It would give a better idea how the vulnearibility scanner detects this vulnerability on 9091. It should be calling some end point otherwise I do not see an issue of XSS.