Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Preemptive Protection against Sun Java System Application Server HTTP TRACE Method Vulnerability

Attack ID: CPAI-2004-56
Publish Date:
Category: Unsafe HTTP Methods
Vulnerable Systems: Sun Java System Application Server Standard Edition 7 and later updates;  
Sun Java System Application Server Standard Edition 7 2004Q2 and later updates;  
Sun Java System Application Server Platform Edition 7 and later updates

Sunsolve ID: 57670


A vulnerability exists in the way the Sun Java System Application server processes a specific HTTP method. A remote attacker can abuse this method to obtain sensitive information about the Web server, including server cookies and authentication information.  


The HTTP TRACE method is typically used for debugging and network analysis purposes to request the contents of HTTP request messages received by the Web server. When an HTTP TRACE request is sent to a web server that supports it, that server will respond echoing the data that is passed to it, including any HTTP headers.

The problem is that Sun Java System Application Server by default responds to HTTP TRACE requests. A remote unprivileged attacker may be able to abuse the HTTP TRACE functionality to gain access to sensitive information in HTTP headers when making HTTP requests to Sun Java System Application servers.

Attack Detection:

Users of VPN-1 NG with Application Intelligence R54, R55 and users of VPN-1 NG with Application Intelligence R55W with Web Intelligence license who have applied the solution outlined below, will be able to identify blocked HTTP connections with the following SmartView Tracker logging entries:

Log for R55
: reason: Web security: HTTP method 'trace' is not allowed. For more details on HTTP methods please refer to SecureKnowledge solution sk17454.

Log for R55W
Attack Name: HTTP Methods
Information: reason: WSE0110001 blocked method : 'TRACE'


Users of VPN-1 NG with Application Intelligence R54, R55, R55W and Connectra are preemptively protected against this vulnerability.

VPN-1 HTTP Security Server (R54, R55) and Web Intelligence (R55W, Connectra) block the HTTP TRACE method along with other unsafe HTTP methods by default.

To enable the protection (R54, R55):

  1. On the SmartDefense navigation tree, click Application intelligence, click Web and then click HTTP Protocol Inspection.
  2. Select one of the two options: If you select Configurations apply to all connections, you will also need to enable Perform strict protocol enforcement in order for the protection to work.

    Selecting Configurations apply only to connections related to resources used in the Rule Base offers a more granular protection with inspection only to connections related to pre-configured URI resources used in the rule base. If you select this option you will need to define a URI resource and use it in the rule base.

To enable the protection (R55W & Connectra with Web Intelligence license):

1. On the Web Intelligence navigation tree, click HTTP Protocol Inspection > HTTP Methods.

2. Select Selected HTTP Methods and click Add; the Select Blocked HTTP Methods window appears.

3. Select TRACE, click OK.
4. Install policy on all modules.



Industry Reference:
Additional Information:

CERT: VU#867593