if you are running behind apache .. you can turn that off using the mod_headers ... you can unset any headers then.
On Fri, Jun 20, 2008 at 8:37 PM, Dave Girardin <[EMAIL PROTECTED]> wrote: > Group, > > I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No > other apps run on the server, for example, there is no Apache httpd > running. > I have been tasked with turning off Etag headers. Our security folks have > supposedly identified this security vulnerability, note that is says Apache > but it's really Tomcat: > > Vulnerability Identified: Apache ETag Header Information Disclosure > Weakness > > Severity: Low > > Description: A cache management feature is available for Apache that makes > use of an entity tag (ETag) header. When this option is enabled and a > request is made for a document relating to a file, for caching purposes, an > ETag response header is returned containing various file attributes. A > weakness has been found in the generation of ETag headers under certain > configurations implementing the FileETag directive. > > Impact: Among the file attributes included in the header is the file inode > number that is returned to a client. This poses a security risk, as this > information may aid in launching attacks against other network-based > services. For instance, NFS uses inode numbers to generate file handles. > > Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not > configurable to disable the use of inodes in ETag headers. Default behavior > in later versions will still release this sensitive information. OpenBSD > has > released a patch that addresses this issue. Inode numbers returned from the > server are now encoded using a private hash to avoid the release of > sensitive information > > Can anyone tell me how to disable the ETag headers? I have searched the > documentation and sorry if it's there I missed it. > > Thanks!! > > David > -- Regards, Youssef
