[jira] [Assigned] (AMQ-6951) Hide embedded jetty version

Fri, 15 Jan 2021 07:48:42 -0800 


     [ 
https://issues.apache.org/jira/browse/AMQ-6951?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Matt Pavlovich reassigned AMQ-6951:
-----------------------------------

    Assignee: Matt Pavlovich

> Hide embedded jetty version
> ---------------------------
>
>                 Key: AMQ-6951
>                 URL: https://issues.apache.org/jira/browse/AMQ-6951
>             Project: ActiveMQ
>          Issue Type: New Feature
>            Reporter: Marcos Moreno Martin
>            Assignee: Matt Pavlovich
>            Priority: Major
>             Fix For: 5.15.15, 5.16.2
>
>
> Hi,
> sorry in advance if this is something easy for jetty experts. We need some 
> guidance or see if hiding the embedded jetty configuration is possible.
> We have not seen anywhere in the documentation how to hide the embedded jetty 
> version. This is marked as a security thread by our penetration testers when 
> we are using a web sockets transport on port 80. We have been playing around 
> with the configuration file jetty.xml and the parameters, but no success. It 
> has been addressed for other projects (see 
> https://issues.apache.org/jira/browse/HADOOP-13414)
>  So far we have been trying to change the configuration in jetty.xml.
> As far as we know, this should be the configuration for the property:
> {code:java}
> <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
> <property name="sendServerVersion" value="false">
> </property>
> </bean>
> {code}
> However, this has no effect in the exposing of the version. We tried further 
> and tried with a connection factory, but this also had no effect:
> {code:java}
> <bean id="invokeConnectors" 
> class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
> <property name="targetObject" ref="Server" />
> <property name="targetMethod" value="setConnectors" />
> <property name="arguments">
> <list>
> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
> <constructor-arg ref="Server" />
> <constructor-arg>
>    <list>
>       <bean id="httpConnectionFactory"       
> class="org.eclipse.jetty.server.HttpConnectionFactory">
>       <constructor-arg ref="httpConfig"/>
>       </bean>
>    </list>
> </constructor-arg>
> <!-- see the jettyPort bean -->
> <property name="host" value="#{systemProperties['jetty.host']}" />
> <property name="port" value="#{systemProperties['jetty.port']}" />
> </bean>
> </list>
> </property>
> </bean>
> {code}
> Are we on the right track, or does it need to be addressed by the codebase of 
> ActiveMQ? 
> This is how we show the version:
> {code:java}
> #nmap -sV -p80 localhost
> Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-23 18:16 CEST
> Nmap scan report for localhost (127.0.0.1)
> Host is up (0.000098s latency).
> PORT STATE SERVICE VERSION
> 80/tcp open http Jetty 9.2.22.v20170606
> Service detection performed. Please report any incorrect results at 
> https://nmap.org/submit/ .
> Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to