Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-473

Stop reporting Jetty server version

    XMLWordPrintable

Details

    • Task
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • TK 1.5.6
    • TK-JETTY9 2.3.1
    • TrapperKeeper
    • None
      • Jetty/TK does not report what version it is in the HTTP headers of it's responses or error pages
    • Froyo
    • 33368
    • 1
    • Bug Fix
    • Jetty no longer reports its version. Its version was reported incorrectly before, to resolve this we've removed the version header. Not reporting the version is a security best practice.
    • Needs Assessment

    Description

      Security scanners detect when we report the Jetty server version as "9.4.z-SNAPSHOT" in their scans. This means that they will assume we are running a vulnerable 9.4 version that contains cve-2017-7658. Nick Lewis found that when we build TK as an uberjar, something about the environment confuses Jetty so that it no longer knows its build version and thus reports SNAPSHOT. We should disable reporting the server version entirely, as it isn't useful for debugging and just causes these sort of false-reports of security vulnerabilities.

      Attachments

        Activity

          People

            Unassigned Unassigned
            brandon.high Brandon High
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support