Web Server Discloses Software Type And Version Vulnerability when scanning Novell Access Manager
This document (7011409) is provided subject to the disclaimer at the end of this document.
NetIQ Access Manager 3.2 Support Pack 1 applied
Before going live, a security scan of the system found the following vulnerability:
Web Server Discloses Software Type And Version [NOT FIXED]
Source Web Application Assessment
Level Of Severity Suggested Likelihood Of Threat High
Affected Components neologin-staging.novell.com (443/tcp)
The Team observed that the web servers on the affected hosts disclosed information about their software type and version within the HTTP ‘Server’ header field:
Recommend that the web server should be reconfigured to display the minimal amount of information, or to display false information.
Apache servers can be configured to give the minimum amount of information by adding the following directive to the Apache configuration file (usually ‘httpd.conf’ or ‘apache.conf’):
Alternatively, on Apache-based servers ‘mod_security’ can be used to change the server signature to any value. The following directive should be added to the configuration file:
In the setup above, the Apache-Coyote/1.1 HTTP header was returned by the IDP server. By modifying the C:\Program Files (x86)\Novell\Tomcat\conf\server.xml with the following information:
<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="0" address="22.214.171.124" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Novell\devman\jcc/certs/idp/connector.keystore" keystorePass="cAOr9312zor2X28" maxThreads="600" minSpareThreads=" 5 " port="8443" scheme="https" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="tls" useBodyEncodingURI="false" server="Confidential"/>
.... and restarting tomcat using the following
net stop tomcat7
net start tomcat7
The Server HTTP header is displayed as "Confidential".
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7011409
- Creation Date:21-NOV-12
- Modified Date:21-NOV-12
- NetIQAccess Manager (NAM)
Did this document solve your problem? Provide Feedback