Re: Retrieve server.built, server.number
On 4/11/24 10:59, Mark Thomas wrote: On 11/04/2024 15:49, Bill Stewart wrote: On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote: ... and it might represent an information leakage vulnerability in your application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running represents a valid vulnerability or if hiding it is just security by obscurity? Or do you want to save it for Bratislava? :) More seriously, your time is likely to be better spent (in my view) keeping your Tomcat installations up to date with the latest releases than it is ensuring that you hide the version number. The amusing thing (or irritating thing, depending on your point of view) is when a large organization uses a vulnerability scanner and a Tomcat instance gets flagged as a security risk because it reveals its version number in the 404 error page. (Yes, this is a real scenario.) At least it is an easy fix: showServerInfo="false" assuming that is going to be easier than convincing folks that exposing the version number isn't an issue. +1 Revealing the server version isn't a vulnerability, period. But if your operational practices are such that you leave old versions that have known published vulnerabilities running in production, then you have broken operational practices that need to be fixed. IMHO, revealing your server version number may be an incentive to keep your software up-to-date. On the flip side, hiding your server's version number is *not a valid security control*. If you are advertising your server version number it only increases the likelihood of someone identifying your site as potentially vulnerable /if you have an old version/. If a zero-day is published against Tomcat, anyone who wants to attack Tomcat-based services will attack anyone they want since the vulnerability is likely to affect both old-version and new-version deployments. But well-known vulnerabilities from past versions may make it attractive for miscreants to use something like Shodan to search for servers running particularly old versions to attack them. So... if you want to reveal your server version, feel free to do so. But make sure you stay up-to-date. You should always stay up-to-date. The policy of the Apache Tomcat Security Team is to release security-related patches with announcements /coming later/. So any release make be a security-related release. You won't know until afterward whether or not it's an "important" update. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Retrieve server.built, server.number
On 11/04/2024 15:49, Bill Stewart wrote: On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote: ... and it might represent an information leakage vulnerability in your application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running represents a valid vulnerability or if hiding it is just security by obscurity? Or do you want to save it for Bratislava? :) More seriously, your time is likely to be better spent (in my view) keeping your Tomcat installations up to date with the latest releases than it is ensuring that you hide the version number. The amusing thing (or irritating thing, depending on your point of view) is when a large organization uses a vulnerability scanner and a Tomcat instance gets flagged as a security risk because it reveals its version number in the 404 error page. (Yes, this is a real scenario.) At least it is an easy fix: showServerInfo="false" assuming that is going to be easier than convincing folks that exposing the version number isn't an issue. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Retrieve server.built, server.number
On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote: > ... and it might represent an information leakage vulnerability in your > > application. Be Careful. > > Shall we start the flame war now on whether exposing the current version > you are running represents a valid vulnerability or if hiding it is > just security by obscurity? Or do you want to save it for Bratislava? > > :) > > More seriously, your time is likely to be better spent (in my view) > keeping your Tomcat installations up to date with the latest releases > than it is ensuring that you hide the version number. > The amusing thing (or irritating thing, depending on your point of view) is when a large organization uses a vulnerability scanner and a Tomcat instance gets flagged as a security risk because it reveals its version number in the 404 error page. (Yes, this is a real scenario.)
Re: Retrieve server.built, server.number
Mark, On 4/10/24 16:12, Mark Thomas wrote: On 10/04/2024 21:15, Christopher Schultz wrote: All, On 4/10/24 4:00 AM, Mark Thomas wrote: On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default installation, no. You'd have to write a servlet that reported that information and then request that page. ... and it might represent an information leakage vulnerability in your application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running represents a valid vulnerability or if hiding it is just security by obscurity? Or do you want to save it for Bratislava? :) Hey, I've been running Apache-Coyote/1.1 since 1998 and I'm still standing. More seriously, your time is likely to be better spent (in my view) keeping your Tomcat installations up to date with the latest releases than it is ensuring that you hide the version number. +1 Upgrading Tomcat should be something that any application management team is comfortable doing. Upgrading with every monthly Tomcat release should not be a burden if you choose to do it. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Retrieve server.built, server.number
True that Mark, but unfortunately Management typically has a different thought process on that. ☹ Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. From: Mark Thomas Sent: Wednesday, April 10, 2024 3:13 PM To: users@tomcat.apache.org Subject: Re: Retrieve server.built, server.number On 10/04/2024 21: 15, Christopher Schultz wrote: > All, > > On 4/10/24 4: 00 AM, Mark Thomas wrote: >> On 09/04/2024 17: 17, prat 007 wrote: >>> Hi All, >>> >>> I would like to know is there a way to find On 10/04/2024 21:15, Christopher Schultz wrote: > All, > > On 4/10/24 4:00 AM, Mark Thomas wrote: >> On 09/04/2024 17:17, prat 007 wrote: >>> Hi All, >>> >>> I would like to know is there a way to find tomcat's server.built and >>> server.number remotely using tool loke curl or from browser? >> >> In a default installation, no. >> >> You'd have to write a servlet that reported that information and then >> request that page. > > ... and it might represent an information leakage vulnerability in your > application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running represents a valid vulnerability or if hiding it is just security by obscurity? Or do you want to save it for Bratislava? :) More seriously, your time is likely to be better spent (in my view) keeping your Tomcat installations up to date with the latest releases than it is ensuring that you hide the version number. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
Re: Retrieve server.built, server.number
On 10/04/2024 21:15, Christopher Schultz wrote: All, On 4/10/24 4:00 AM, Mark Thomas wrote: On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default installation, no. You'd have to write a servlet that reported that information and then request that page. ... and it might represent an information leakage vulnerability in your application. Be Careful. Shall we start the flame war now on whether exposing the current version you are running represents a valid vulnerability or if hiding it is just security by obscurity? Or do you want to save it for Bratislava? :) More seriously, your time is likely to be better spent (in my view) keeping your Tomcat installations up to date with the latest releases than it is ensuring that you hide the version number. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Retrieve server.built, server.number
All, On 4/10/24 4:00 AM, Mark Thomas wrote: On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default installation, no. You'd have to write a servlet that reported that information and then request that page. ... and it might represent an information leakage vulnerability in your application. Be Careful. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Retrieve server.built, server.number
On 09/04/2024 17:17, prat 007 wrote: Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? In a default installation, no. You'd have to write a servlet that reported that information and then request that page. Mark I am currently running tomcat v 9.0.87. This information gets displayed when we run version.sh or in the starting logs when tomcat starts up but how we can find it without logging into the tomcat server. Thanks, - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Retrieve server.built, server.number
Hi All, I would like to know is there a way to find tomcat's server.built and server.number remotely using tool loke curl or from browser? I am currently running tomcat v 9.0.87. This information gets displayed when we run version.sh or in the starting logs when tomcat starts up but how we can find it without logging into the tomcat server. Thanks,