Novell Home

My Favorites

Close

Please to see your favorites.

Web Server Discloses Software Type And Version Vulnerability when scanning Novell Access Manager

This document (7011409) is provided subject to the disclaimer at the end of this document.

Environment

Identity Server and Access Gateway of 3.2 SP1 installed on Windows 2008 R2
NetIQ Access Manager 3.2 Support Pack 1 applied

Situation

Identity (IDP) Server and Access Gateway (AG) of 3.2 SP1 installed and configured on Windows 2008 R2 platform. All Web applications protected by the Access Gateway worked fine ie. users could single sign on to back end applications behind the AG after having successfully authenticated at the IDP server.

Before going live, a security scan of the system found the following vulnerability:

Web Server Discloses Software Type And Version [NOT FIXED]
 
Source Web Application Assessment
 
Level Of Severity Suggested Likelihood Of Threat High
 
Affected Components neologin-staging.novell.com (443/tcp)
 
Finding
The Team observed that the web servers on the affected hosts disclosed information about their software type and version within the HTTP ‘Server’ header field:
 
neologin-staging.novell.com:
Apache-Coyote/1.1

Recommendation
Recommend that the web server should be reconfigured to display the minimal amount of information, or to display false information.
Apache servers can be configured to give the minimum amount of information by adding the following directive to the Apache configuration file (usually ‘httpd.conf’ or ‘apache.conf’):
 
ServerTokens Prod
 
Alternatively, on Apache-based servers ‘mod_security’ can be used to change the server signature to any value. The following directive should be added to the configuration file:
 
SecServerSignature "New_Server_Signature

Resolution

Modify the IDP connector information in the server.xml to add a 'Server=' string.

In the setup above, the Apache-Coyote/1.1 HTTP header was returned by the IDP server. By modifying the C:\Program Files (x86)\Novell\Tomcat\conf\server.xml with the following information:

<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="0" address="21.207.236.84" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Novell\devman\jcc/certs/idp/connector.keystore" keystorePass="cAOr9312zor2X28" maxThreads="600" minSpareThreads=" 5 " port="8443" scheme="https" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="tls" useBodyEncodingURI="false" server="Confidential"/>

.... and restarting  tomcat using the following

net stop tomcat7
net start tomcat7

The Server HTTP header is displayed as "Confidential".

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011409
  • Creation Date:21-NOV-12
  • Modified Date:21-NOV-12
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback