IC90712: (SSPCM) PEN TEST: L-004 VERSION INFORMATION REVEALED IN PAGE TITLE

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • L-004 Version Information Revealed In Page Title
    Remove or Suppress Version Numbers
    L3 Comment: Remove the Jetty version information from the
    response
    Headers in SSP Configuration Manager
    

Local fix

  • STRRTC - 367003
    DE/RJ
    Circumvention:
    Update to latest SSPBuild
    

Problem summary

  • Security scan revealed that the version of the web server used
    by SSP CM is displayed in the HTTP header. This gives an
    attacker a head start in designing an attack specific to that
    web server version.
    

Problem conclusion

  • Updated the SSP CM web server parameters to no longer broadcast
    the version of the software in the HTTP headers.
    

Temporary fix

  • Enabled Jetty feature to turn off sending the version
    information on HTTP responses.
    

Comments

  • Fix included in SSP3417.
    

APAR Information

  • APAR number

    IC90712

  • Reported component name

    STR SECURE PROX

  • Reported component ID

    5725D0300

  • Reported release

    341

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2013-03-08

  • Closed date

    2013-05-01

  • Last modified date

    2013-05-01

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    STR SECURE PROX

  • Fixed component ID

    5725D0300

Applicable component levels

  • R341 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling Secure Proxy

Software version:

341

Reference #:

IC90712

Modified date:

2013-05-01

Translate my page

Machine Translation

Content navigation