Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-473

Stop reporting Jetty server version

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: TK 1.5.6
    • Fix Version/s: TK-JETTY9 2.3.1
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      • Jetty/TK does not report what version it is in the HTTP headers of it's responses or error pages
    • Team:
      Server
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Jetty no longer reports its version. Its version was reported incorrectly before, to resolve this we've removed the version header. Not reporting the version is a security best practice.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Security scanners detect when we report the Jetty server version as "9.4.z-SNAPSHOT" in their scans. This means that they will assume we are running a vulnerable 9.4 version that contains cve-2017-7658. Nick Lewis found that when we build TK as an uberjar, something about the environment confuses Jetty so that it no longer knows its build version and thus reports SNAPSHOT. We should disable reporting the server version entirely, as it isn't useful for debugging and just causes these sort of false-reports of security vulnerabilities.

        Attachments

          Activity

            jsd-sla-details-panel

              People

              • Assignee:
                Unassigned
                Reporter:
                brandon.high Brandon High
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: