[TK-473] Stop reporting Jetty server version - Puppet Jira Server

XML

Word

Printable

Details

Type: Task
Status: Resolved
Priority: Normal
Resolution: Fixed
Affects Version/s: TK 1.5.6
Fix Version/s: TK-JETTY9 2.3.1
Component/s: TrapperKeeper
Labels:
None

Acceptance Criteria:
- Jetty/TK does not report what version it is in the HTTP headers of it's responses or error pages
Team:
Froyo

Zendesk Ticket IDs:
33368
Zendesk Ticket Count:
1

Release Notes:
Bug Fix
Release Notes Summary:
Jetty no longer reports its version. Its version was reported incorrectly before, to resolve this we've removed the version header. Not reporting the version is a security best practice.

QA Risk Assessment:
Needs Assessment

Description

Security scanners detect when we report the Jetty server version as "9.4.z-SNAPSHOT" in their scans. This means that they will assume we are running a vulnerable 9.4 version that contains cve-2017-7658. Nick Lewis found that when we build TK as an uberjar, something about the environment confuses Jetty so that it no longer knows its build version and thus reports SNAPSHOT. We should disable reporting the server version entirely, as it isn't useful for debugging and just causes these sort of false-reports of security vulnerabilities.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Brandon High

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2018/11/27 11:18 AM

Updated:: 2022/02/03 6:07 AM

Resolved:: 2019/01/07 1:41 PM