Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

content insight servlet

Avatar

Level 3
Level 3
7/12/18 4:34:37 PM

Hi Experts,

Can anyone help me understand the purpose of the below servlet and what it is used for?

http://localhost:4502/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.23.css

Our team reported a vulnerability that using this servlet they can perform SSRF attacks and reach to the publisher bypassing the dispatcher.

While restricting it is an immediate measure we have taken but would like to understand the impact of restricting at the dispatcher.

Any inputs or links referring to the original documentation would be of great help

Regards

Kartheek

Views

5.6K

Replies

9
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee
Employee
8/3/18 10:58:36 AM

Hi Kartheek,

Apologies for the delay, I was confirming if the information is fine to release to public.

The workaround instead of installing the patch is to:

Change the “Whitelist” value from .*/api[0-9]*.omniture.com/.*  to https?:\/\/api(\d+)?\.omniture\.com(:\d+)?\/rs\/0\.5\/.* within /system/console/configMgr/com.adobe.cq.contentinsight.impl.servlets.ReportingServicesProxyServlet configuration.

Please make sure to upgrade to latest official patch when possible.

Regards,

Lisa

View solution in original post

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
9 Replies

Avatar

Employee
Employee
7/13/18 3:46:17 PM

Hi Kartheek,

The purpose of the ReportingServicesProxyServlet.java servlet (found in the notes directly in the source code):

/**
* A servlet that proxies requests to Reporting Services's API for browsers
* not supporting real CORS, i.e. IE 9 with XDomainRequest.
* <p>
* The API's response code and body are copied to the servlet response.
*/

This SSRF vulnerability is related to Adobe Security Bulletin

Please note that the immediate fix would be to install the corresponding hotfix for your AEM version (if the official patch has not been released yet).

Proactive HF for 6.0 - https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani... 

Proactive HF for 6.1 - https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Pro-active HF for 6.2 - https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Pro-active HF for 6.3 - https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Pro-active HF for 6.4 - https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Regards,

Lisa

Views

3.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
7/14/18 12:53:26 AM

kartheekd20304289​ The servlet which invoked in backend of mentioned URL (http://localhost:4502/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.23.css ) is ReportingServicesProxyServlet.java.

For more info, you can have a look at the code.

package com.adobe.cq.contentinsight.impl.servlets;
import org.slf4j.LoggerFactory;
import org.apache.felix.scr.annotations.Activate;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.service.component.ComponentContext;
import java.util.regex.Pattern;
import java.io.IOException;
import javax.servlet.ServletException;
import org.apache.http.HttpResponse;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.client.HttpClient;
import java.net.URISyntaxException;
import org.apache.http.client.utils.HttpClientUtils;
import java.io.OutputStream;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.utils.URIBuilder;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.SlingHttpServletRequest;
import org.slf4j.Logger;
import org.apache.felix.scr.annotations.Reference;
import org.apache.http.osgi.services.HttpClientBuilderFactory;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.sling.SlingServlet;
import org.apache.sling.api.servlets.SlingSafeMethodsServlet;
@SlingServlet(generateComponent = true, metatype = true, resourceTypes = { "cq/contentinsight/proxy" }, extensions = { "json" }, selectors = { "reportingservices" }, methods = { "GET" }, label = "Reporting Services API proxy servlet", description = "Proxy servlet for Reporting Services API")
public class ReportingServicesProxyServlet extends SlingSafeMethodsServlet
{
    private static final String DEFAULT_API_OMNITURE_URL = ".*/api[0-9]*.omniture.com/.*";
    @Property(name = "reportingservices.proxy.whitelist", label = "Whitelist", description = "Allowed destinations for the reporting services proxy servlet", cardinality = Integer.MAX_VALUE, value = { ".*/api[0-9]*.omniture.com/.*" })
    private String[] whiteList;
    @Reference
    private HttpClientBuilderFactory clientBuilderFactory;
    private static final long serialVersionUID = 7044811756109092040L;
    private static final Logger LOG;
    
    public ReportingServicesProxyServlet() {
        this.whiteList = new String[] { ".*/api[0-9]*.omniture.com/.*" };
    }
    
    protected void doGet(final SlingHttpServletRequest request, final SlingHttpServletResponse response) throws ServletException, IOException {
        final String url = request.getParameter("url");
        final String query = request.getParameter("q");
        if (url == null || query == null) {
            response.setStatus(400);
            return;
        }
        if (!this.isUrlAllowed(url)) {
            ReportingServicesProxyServlet.LOG.warn("Received url " + url + " not whitelisted!");
            return;
        }
        final CloseableHttpClient httpClient = this.clientBuilderFactory.newBuilder().build();
        try {
            final URIBuilder uriBuilder = new URIBuilder(url);
            uriBuilder.addParameter("q", query);
            final HttpGet get = new HttpGet(uriBuilder.build());
            get.setHeader("x-adobe-rs-auth", request.getHeader("x-adobe-rs-auth"));
            HttpResponse getResponse = null;
            try {
                getResponse = (HttpResponse)httpClient.execute((HttpUriRequest)get);
                final int status = getResponse.getStatusLine().getStatusCode();
                IOUtils.copy(getResponse.getEntity().getContent(), (OutputStream)response.getOutputStream());
                response.setStatus(status);
            }
            finally {
                HttpClientUtils.closeQuietly(getResponse);
            }
        }
        catch (URISyntaxException e) {
            ReportingServicesProxyServlet.LOG.error("Invalid URL: " + url, (Throwable)e);
        }
        finally {
            HttpClientUtils.closeQuietly((HttpClient)httpClient);
        }
    }
    
    private boolean isUrlAllowed(final String url) {
        boolean isAllowed = false;
        for (final String whitelistedRegex : this.whiteList) {
            final Pattern pattern = Pattern.compile(whitelistedRegex);
            isAllowed = pattern.matcher((CharSequence)url).matches();
            if (isAllowed) {
                break;
            }
        }
        return isAllowed;
    }
    
    @Activate
    protected void activate(final ComponentContext ctx) {
        this.whiteList = PropertiesUtil.toStringArray(ctx.getProperties().get("reportingservices.proxy.whitelist"), new String[] { ".*/api[0-9]*.omniture.com/.*" });
    }
    
    static {
        LOG = LoggerFactory.getLogger((Class)ReportingServicesProxyServlet.class);
    }
    
    protected void bindClientBuilderFactory(final HttpClientBuilderFactory clientBuilderFactory) {
        this.clientBuilderFactory = clientBuilderFactory;
    }
    
    protected void unbindClientBuilderFactory(final HttpClientBuilderFactory httpClientBuilderFactory) {
        if (this.clientBuilderFactory == httpClientBuilderFactory) {
            this.clientBuilderFactory = null;
        }
    }
}

Views

3.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
7/16/18 8:11:41 AM

kartheekd20304289​ , yes , http://localhost:4502/libs/cq/contentinsight/proxy/reportingservices.json.GET.servlet.a.23 .css is the same as ReportingServicesProxyServlet.java servlet .

Here is better description regarding the functionality of this servlet:

The servlet is proxying requests for browsers (older IE) that do not properly support CORS XMLHttpRequests. The servlet is not used if Content-Insight is used with modern browsers.

Applying a Dispatcher filter would indeed interfere with the Content-Insight feature as other functionality is also exposed at /libs/cq/contentinsight/content/*.  However, we suggest to go with the official patch / hotfix to resolve the issue.

Views

3.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
8/1/18 1:10:19 PM

Thanks.

Can you please share the appropriate hotfix/patch package for AEM Version 6.3.1.2

Views

2.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee
Employee
8/1/18 1:43:15 PM

Hi kartheekd20304289

The appropriate hotfix/patch package for AEM Version 6.3.1.2 is:

https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?packagePath=/content/compani...

Please note that the pre-requisite for this hotfix is SP2.

Regards,

Lisa

Views

3.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
8/1/18 1:49:02 PM

Hi Lisa,

Unfortunately we are not on SP2 and we cannot upgrade to SP2 within the next few days.

Is there a way to mitigate the upgrade and provide us with a specific patch for our version so we can fix the security vulnerability faster?

Views

2.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
8/3/18 10:42:10 AM

HI Lisa,

Please let us know  if there is any workaround without SP2 upgrade?

Views

2.9K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee
Employee
8/3/18 10:58:36 AM

Hi Kartheek,

Apologies for the delay, I was confirming if the information is fine to release to public.

The workaround instead of installing the patch is to:

Change the “Whitelist” value from .*/api[0-9]*.omniture.com/.*  to https?:\/\/api(\d+)?\.omniture\.com(:\d+)?\/rs\/0\.5\/.* within /system/console/configMgr/com.adobe.cq.contentinsight.impl.servlets.ReportingServicesProxyServlet configuration.

Please make sure to upgrade to latest official patch when possible.

Regards,

Lisa

Views

3.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Richtext data type not working in Content Fragment Model Solved

Views

96

Likes

0

Replies

1
Create Content Fragment with more than one variations from Excel File

Views

43

Likes

0

Replies

0
Content Fragments: Best Practice for Dynamic Shop Detail Pages (2024)

Views

98

Likes

0

Replies

2
Only allow workflow on certain content fragment models

Views

80

Likes

0

Replies

1
AEM - Search by content from text based document question

Views

99

Likes

0

Replies

2