On 06/05/2021 14:09, Robert Hicks wrote:
We are getting evaluated and one of the items that I need to do is change
the "ServerInfo.properties" in the catalina.jar to set "server.info" and
"server.version" to nonsense (really).
I have the following Valve setup as well:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false" />
At what point would the "ServerInfo.properties" actually show a version and
server name to an end user?
I am just wondering if mucking with the jar every release is a worthwhile
thing and what security implications (if any) are involved.
No need to edit the JAR. Extract ServerInfo.properties to
$CATALINA_BASE/lib/org/apache/catalina/util and edit the extracted file.
It will be used in preference to the one in the JAR.
ServerInfo is exposed via ServletContext.getServerInfo() so it is
possible that an application will expose it.
The DefaultServlet will show it by default if listings are enabled (can
be disabled).
The ErrorReportValve will show it by default on error pages (can be
disabled).
The security argument goes something like:
"If you expose the software name and version number it makes it easier
for an attacker to identify known vulnerabilities for that version and
target your server"
My personal counter argument goes something like:
"Whether you expose the version number or not, if you run a version with
a known vulnerability that your are affected by then you are vulnerable.
Rather than waste time hiding the version number which is simply
security by obscurity - ie no security at all, spend that time doing
something useful like upgrading the server so you are no longer exposed
to the vulnerability."
HTH,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
