How to disabled jetty server version details from http response header
Article ID: KB0070715
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix Service Grid | 3.4.0,3.4.1 |
Description
By default the Jetty server used in AMX 3.4.x and BPME 4.3.x will include the Jetty version in the response header. This can raise security concerns as, "The version of technology used is disclosed in the response of the application, this information can help an attacker gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version. An Intruder might use the revealed version of technology to compromise the vulnerabilities of the disclosed version"
Example:
=======================================================================
HTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 09:26:21 GMT
Content-Type: text/xml;charset="UTF-8"
Vary: Accept-Encoding, User-Agent
Server: Jetty(9.2.25.v20180606)
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><HelloResponse xmlns="http://ns.tibco.com/Hello/">Hi paresh! This is the Java component.
</HelloResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
========================================================================
Steps to reproduce the issue:
1.) Deployed Sample SOA application on the AMX platform.
2.) Invoke the application from SOAP UI or any other tool.
3.) Check the response header content of the request
Issue/Introduction
How to disabled jetty server version details from http response header
Environment
ALL
Resolution
We can remove the jetty server version details from the HTTP response header from AMX 3.4.0 HF 03 onwards.
Steps to resolve the issue: Add the following property at the Node level in two ways:
1.) From Admin UI:
a) Go to Admin UI --> Infrastructure -->Node --> Change the environment and Select Node
b.) Click on Configuration -->JVM Configuration --> Click on add and put the property "com.tibco.amf.node.disableSendServerVersion" --> In the value column add "true"
c.) Click on save --> Then Click on the Install/Sync option.
==================================================================================================================================================================
2.) By updating the Node.tra files without using Admin UI:
a.) Add the following JVM property to the runtime node.tra files,
Please Note: When you are updating directly from tra file, you need to provide the property with "java.property" as below:
==================================================
java.property.com.tibco.amf.node.disableSendServerVersion=true
==================================================
b.) Save the change and Restart the Node with -clean option.
Commands : Run below commands from "Config_Home\tibco\data\tibcohost\<Enterprise-Name>\host\bin" :
===========================================
./tibcohost stopNodes -nodeName <Node_Name>
./tibcohost startNodes -nodeName <Node_Name> -clean
============================================
Validation: After performing the above steps, We can not see jetty version details from the HTTP response header.
The Jetty server version detail is shown before enabling the property on the node.
=================================================================================
HTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 09:26:21 GMT
Content-Type: text/xml;charset="UTF-8"
Vary: Accept-Encoding, User-Agent
Server: Jetty(9.2.25.v20180606)
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><HelloResponse xmlns="http://ns.tibco.com/Hello/">Hi Test! This is the Java component.
</HelloResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
======================================
The Jetty server version detail is not shown after enabling the property on the node.
===================================================================================
HTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 11:59:46 GMT
Content-Type: text/xml;charset="UTF-8"
Vary: Accept-Encoding, User-Agent
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><HelloResponse xmlns="http://ns.tibco.com/Hello/">Hi Test! This is the Java component.
</HelloResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
===================================================================================
Steps to resolve the issue: Add the following property at the Node level in two ways:
1.) From Admin UI:
a) Go to Admin UI --> Infrastructure -->Node --> Change the environment and Select Node
b.) Click on Configuration -->JVM Configuration --> Click on add and put the property "com.tibco.amf.node.disableSendServerVersion" --> In the value column add "true"
c.) Click on save --> Then Click on the Install/Sync option.
==================================================================================================================================================================
2.) By updating the Node.tra files without using Admin UI:
a.) Add the following JVM property to the runtime node.tra files,
Please Note: When you are updating directly from tra file, you need to provide the property with "java.property" as below:
==================================================
java.property.com.tibco.amf.node.disableSendServerVersion=true
==================================================
b.) Save the change and Restart the Node with -clean option.
Commands : Run below commands from "Config_Home\tibco\data\tibcohost\<Enterprise-Name>\host\bin" :
===========================================
./tibcohost stopNodes -nodeName <Node_Name>
./tibcohost startNodes -nodeName <Node_Name> -clean
============================================
Validation: After performing the above steps, We can not see jetty version details from the HTTP response header.
The Jetty server version detail is shown before enabling the property on the node.
=================================================================================
HTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 09:26:21 GMT
Content-Type: text/xml;charset="UTF-8"
Vary: Accept-Encoding, User-Agent
Server: Jetty(9.2.25.v20180606)
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><HelloResponse xmlns="http://ns.tibco.com/Hello/">Hi Test! This is the Java component.
</HelloResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
======================================
The Jetty server version detail is not shown after enabling the property on the node.
===================================================================================
HTTP/1.1 200 OK
Date: Thu, 18 Jan 2024 11:59:46 GMT
Content-Type: text/xml;charset="UTF-8"
Vary: Accept-Encoding, User-Agent
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Header/><SOAP-ENV:Body><HelloResponse xmlns="http://ns.tibco.com/Hello/">Hi Test! This is the Java component.
</HelloResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
===================================================================================
Additional Information
Jira Id : AMRP-5823
Feedback
Yes
No
Powered by
