Aaron created ZOOKEEPER-3731: -------------------------------- Summary: Disable HTTP TRACE Method Key: ZOOKEEPER-3731 URL: https://issues.apache.org/jira/"rowse/ZOOKEEPER-3731 Project: ZooKeeper Issue Type: Improvement Affects Versions: 3.5.7 Reporter: Aaron
ZooKeeper uses embedded jetty which allows TRACE method by default. This is a widely-known security concern. Please disable HTTP TRACE method. CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info. Example: {quote}{{$ curl -vX TRACE 10.32.99.185:8080}} {{* Rebuilt URL to: 10.32.99.185:8080/}} {{* Trying 10.32.99.185...}} {{* TCP_NODELAY set}} {{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}} {{> TRACE / HTTP/1.1}} {{> Host: 10.32.99.185:8080}} {{> User-Agent: curl/7.59.0}} {{> Accept: */*}} {{>}} {{< HTTP/1.1 200 OK}} {{< Date: Tue, 18 Feb 2020 12:38:35 GMT}} {{< Content-Type: message/http}} {{< Content-Length: 81}} {{< Server: Jetty(9.4.17.v20190418)}} {{<}} {{TRACE / HTTP/1.1}} {{User-Agent: curl/7.59.0}} {{Accept: */*}} {{Host: 10.32.99.185:8080}} {{* Connection #0 to host 10.32.99.185 left intact}}{quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)