Group, I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No other apps run on the server, for example, there is no Apache httpd running. I have been tasked with turning off Etag headers. Our security folks have supposedly identified this security vulnerability, note that is says Apache but it's really Tomcat:
Vulnerability Identified: Apache ETag Header Information Disclosure Weakness Severity: Low Description: A cache management feature is available for Apache that makes use of an entity tag (ETag) header. When this option is enabled and a request is made for a document relating to a file, for caching purposes, an ETag response header is returned containing various file attributes. A weakness has been found in the generation of ETag headers under certain configurations implementing the FileETag directive. Impact: Among the file attributes included in the header is the file inode number that is returned to a client. This poses a security risk, as this information may aid in launching attacks against other network-based services. For instance, NFS uses inode numbers to generate file handles. Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not configurable to disable the use of inodes in ETag headers. Default behavior in later versions will still release this sensitive information. OpenBSD has released a patch that addresses this issue. Inode numbers returned from the server are now encoded using a private hash to avoid the release of sensitive information Can anyone tell me how to disable the ETag headers? I have searched the documentation and sorry if it's there I missed it. Thanks!! David
