Uploaded image for project: 'Trapperkeeper'
  1. Trapperkeeper
  2. TK-473

Stop reporting Jetty server version

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: TK 1.5.6
    • Fix Version/s: TK-JETTY9 2.3.1
    • Component/s: None
    • Labels:
      None
    • Template:
    • Acceptance Criteria:
      • Jetty/TK does not report what version it is in the HTTP headers of it's responses or error pages
    • Team:
      Froyo
    • Zendesk Ticket IDs:
      33368
    • Zendesk Ticket Count:
      1
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Jetty no longer reports its version. Its version was reported incorrectly before, to resolve this we've removed the version header. Not reporting the version is a security best practice.
    • QA Risk Assessment:
      Needs Assessment

      Description

      Security scanners detect when we report the Jetty server version as "9.4.z-SNAPSHOT" in their scans. This means that they will assume we are running a vulnerable 9.4 version that contains cve-2017-7658. Nick Lewis found that when we build TK as an uberjar, something about the environment confuses Jetty so that it no longer knows its build version and thus reports SNAPSHOT. We should disable reporting the server version entirely, as it isn't useful for debugging and just causes these sort of false-reports of security vulnerabilities.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            brandon.high Brandon High
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support