On 4/11/24 10:59, Mark Thomas wrote:
On 11/04/2024 15:49, Bill Stewart wrote:
On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote:
... and it might represent an information leakage vulnerability in your
application. Be Careful.
Shall we start the flame war now on whether exposing the current version
you are running represents a valid vulnerability or if hiding it is
just security by obscurity? Or do you want to save it for Bratislava?
:)
More seriously, your time is likely to be better spent (in my view)
keeping your Tomcat installations up to date with the latest releases
than it is ensuring that you hide the version number.
The amusing thing (or irritating thing, depending on your point of
view) is
when a large organization uses a vulnerability scanner and a Tomcat
instance gets flagged as a security risk because it reveals its version
number in the 404 error page. (Yes, this is a real scenario.)
At least it is an easy fix: showServerInfo="false"
assuming that is going to be easier than convincing folks that exposing
the version number isn't an issue.
+1
Revealing the server version isn't a vulnerability, period. But if your
operational practices are such that you leave old versions that have
known published vulnerabilities running in production, then you have
broken operational practices that need to be fixed.
IMHO, revealing your server version number may be an incentive to keep
your software up-to-date.
On the flip side, hiding your server's version number is *not a valid
security control*. If you are advertising your server version number it
only increases the likelihood of someone identifying your site as
potentially vulnerable /if you have an old version/.
If a zero-day is published against Tomcat, anyone who wants to attack
Tomcat-based services will attack anyone they want since the
vulnerability is likely to affect both old-version and new-version
deployments.
But well-known vulnerabilities from past versions may make it attractive
for miscreants to use something like Shodan to search for servers
running particularly old versions to attack them.
So... if you want to reveal your server version, feel free to do so. But
make sure you stay up-to-date. You should always stay up-to-date. The
policy of the Apache Tomcat Security Team is to release security-related
patches with announcements /coming later/. So any release make be a
security-related release. You won't know until afterward whether or not
it's an "important" update.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
