[
https://issues.apache.org/jira/browse/ZOOKEEPER-3731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andor Molnar updated ZOOKEEPER-3731:
------------------------------------
Fix Version/s: 3.8.5
> Disable HTTP TRACE Method
> -------------------------
>
> Key: ZOOKEEPER-3731
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3731
> Project: ZooKeeper
> Issue Type: Improvement
> Affects Versions: 3.5.7
> Reporter: Aaron
> Assignee: Enrico Olivelli
> Priority: Critical
> Labels: pull-request-available
> Fix For: 3.9.0, 3.8.5
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> ZooKeeper uses embedded jetty which allows TRACE method by default. This is a
> widely-known security concern. Please disable HTTP TRACE method.
>
> CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info.
>
> Example:
> {quote}{{$ curl -vX TRACE 10.32.99.185:8080}}
> {{* Rebuilt URL to: 10.32.99.185:8080/}}
> {{* Trying 10.32.99.185...}}
> {{* TCP_NODELAY set}}
> {{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}}
> {{> TRACE / HTTP/1.1}}
> {{> Host: 10.32.99.185:8080}}
> {{> User-Agent: curl/7.59.0}}
> {{> Accept: */*}}
> {{>}}
> {{< HTTP/1.1 200 OK}}
> {{< Date: Tue, 18 Feb 2020 12:38:35 GMT}}
> {{< Content-Type: message/http}}
> {{< Content-Length: 81}}
> {{< Server: Jetty(9.4.17.v20190418)}}
> {{<}}
> {{TRACE / HTTP/1.1}}
> {{User-Agent: curl/7.59.0}}
> {{Accept: */*}}
> {{Host: 10.32.99.185:8080}}
> {{* Connection #0 to host 10.32.99.185 left intact}}{quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
