How to restrict http options method on port 61614

Thu, 11 Apr 2019 05:43:22 -0700 

> 
> Hi,
> 
> We are using activemq 5.14 in our application and the recent Internal 
> Vulnerability Assessment shows that http-options-method-enabled on port 61614.
> 
> curl "http://XX.xX.xxx.xxx:61614/"; -X OPTIONS -v * About to connect() to 
> XX.xX.xxx.xxx port 61614 (#0) * Trying XX.xX.xxx.xxx... connected * Connected 
> to XX.xX.xxx.xxx (XX.xX.xxx.xxx) port 61614 (#0) > OPTIONS / HTTP/1.1 > 
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 
> zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: XX.xX.xxx.xxx:61614 > Accept: 
> */* > < HTTP/1.1 200 OK < Date: Thu, 11 Apr 2019 02:02:48 GMT < Allow: GET, 
> HEAD, TRACE, OPTIONS < Content-Length: 0 < Server: Jetty
> I have researched on this and found
> that active mq uses emdedded jetty and tried adding the security constraint 
> in jetty.xml as below.
> 
> <bean id="httpMethodSecurityConstraint" 
> class="org.eclipse.jetty.util.security.Constraint"> <property name="name" 
> value="Restricted" /> <!--<property name="roles" value="admin" /> --> <!-- set
> authenticate=false to disable login --> <property name="authenticate" 
> value="true" /> </bean>
> <bean id="httpMethodSecurityConstraintMapping" 
> class="org.eclipse.jetty.security.ConstraintMapping"> <property 
> name="constraint”
> ref="httpMethodSecurityConstraint" /> <property name="method" value="OPTIONS" 
> /> <property name="pathSpec" value="/*" /> </bean>
> <bean id="securityHandler" 
> class="org.eclipse.jetty.security.ConstraintSecurityHandler">
>  <property name="loginService" ref="securityLoginService" /> <property 
> name="authenticator"> <bean 
> class="org.eclipse.jetty.security.authentication.BasicAuthentica
> tor" /> </property> <property name="constraintMappings"> <list> <ref 
> bean="httpMethodSecurityConstraintMapping" /> </list> </property>
> <property name="handler" ref="secHandlerCollection" /> </bean>
> But, the result of the below still returns http status 200.
> 
> curl "http://XX.xX.xxx.xxx:61614/"; -X OPTIONS -v
> 
> Any help with this issue, would be of great help.
> 
> Thank You.
> 
> 
> Sent from my iPhone

Reply via email to