[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: Retrieve server.built, server.number
From:       Christopher Schultz <chris () christopherschultz ! net>
Date:       2024-04-15 17:26:47
Message-ID: 3f6977b0-3311-42c7-a9d2-db22bfc387e2 () christopherschultz ! net
[Download RAW message or body]



On 4/11/24 10:59, Mark Thomas wrote:
> 
> 
> On 11/04/2024 15:49, Bill Stewart wrote:
>> On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote:
>>
>>> ... and it might represent an information leakage vulnerability in your
>>>> application. Be Careful.
>>>
>>> Shall we start the flame war now on whether exposing the current version
>>>    you are running represents a valid vulnerability or if hiding it is
>>> just security by obscurity? Or do you want to save it for Bratislava?
>>>
>>> :)
>>>
>>> More seriously, your time is likely to be better spent (in my view)
>>> keeping your Tomcat installations up to date with the latest releases
>>> than it is ensuring that you hide the version number.
>>>
>>
>> The amusing thing (or irritating thing, depending on your point of 
>> view) is
>> when a large organization uses a vulnerability scanner and a Tomcat
>> instance gets flagged as a security risk because it reveals its version
>> number in the 404 error page. (Yes, this is a real scenario.)
> 
> At least it is an easy fix: showServerInfo="false"
> 
> assuming that is going to be easier than convincing folks that exposing 
> the version number isn't an issue.

+1

Revealing the server version isn't a vulnerability, period. But if your 
operational practices are such that you leave old versions that have 
known published vulnerabilities running in production, then you have 
broken operational practices that need to be fixed.

IMHO, revealing your server version number may be an incentive to keep 
your software up-to-date.

On the flip side, hiding your server's version number is *not a valid 
security control*. If you are advertising your server version number it 
only increases the likelihood of someone identifying your site as 
potentially vulnerable /if you have an old version/.

If a zero-day is published against Tomcat, anyone who wants to attack 
Tomcat-based services will attack anyone they want since the 
vulnerability is likely to affect both old-version and new-version 
deployments.

But well-known vulnerabilities from past versions may make it attractive 
for miscreants to use something like Shodan to search for servers 
running particularly old versions to attack them.

So... if you want to reveal your server version, feel free to do so. But 
make sure you stay up-to-date. You should always stay up-to-date. The 
policy of the Apache Tomcat Security Team is to release security-related 
patches with announcements /coming later/. So any release make be a 
security-related release. You won't know until afterward whether or not 
it's an "important" update.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]