Our Security team, Rapid 7 Scan had determine a vulnerability and stated that the Web server contains a flaw that may allow a remote attacker to delete arbitrary files by using the HTTP method 'DELETE',
resulting in a loss of integrity. In order to get rid of this vulnerability, we had added the security-constraints in /tomcat/conf/web.xml as below
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
The same is also documented in jasperosft https://support.tibco.com/s/article/Tibco-KnowledgeArticle-Article-40320. Even after adding this security-constraints, our security Rapid 7 Scan had again flagged this.
Below is the response we received from Tibco Support.
The linked article is not related to JasperServer, it's related to TIBCO Administrator application. JasperServer uses DELETE method internally for web services. Disabling the DELETE method entirely would break some functionality of the server and it's not recommended. There are internal security mechanisms such as CSRF Guard and services that use DELETE http verb require authentication.
The DELETE verb is used by JasperServer REST services and cannot be removed entirely. The access to services that utilize the DELETE verb require authentication. It's not possible to completely remove it. And just having the DELETE verb available to be used doesn't necessarily indicate it's a vulnerability.
7.9.0 uses both DELETE and PUT verbs in services. They do not have any immediate plans to stop neither DELETE nor PUT verbs for the services, they have plans to introduce x-http-method-override header support to give ability to map DELETE or PUT to POST but this has no ETA currently.
Based on the above facts, We are taking exception from internal security team on this at least for 1 year and expect the solution to be in place soon.
FYI : Jasper Support reference case no - 02052057
Components | JasperReports Server |