You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/11/17 03:23:00 UTC
[jira] [Updated] (ZOOKEEPER-3731) Disable HTTP TRACE Method
[ https://issues.apache.org/jira/browse/ZOOKEEPER-3731?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated ZOOKEEPER-3731:
--------------------------------------
Labels: pull-request-available (was: )
> Disable HTTP TRACE Method
> -------------------------
>
> Key: ZOOKEEPER-3731
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3731
> Project: ZooKeeper
> Issue Type: Improvement
> Affects Versions: 3.5.7
> Reporter: Aaron
> Priority: Critical
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> ZooKeeper uses embedded jetty which allows TRACE method by default. This is a widely-known security concern. Please disable HTTP TRACE method.
>
> CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info.
>
> Example:
> {quote}{{$ curl -vX TRACE 10.32.99.185:8080}}
> {{* Rebuilt URL to: 10.32.99.185:8080/}}
> {{* Trying 10.32.99.185...}}
> {{* TCP_NODELAY set}}
> {{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}}
> {{> TRACE / HTTP/1.1}}
> {{> Host: 10.32.99.185:8080}}
> {{> User-Agent: curl/7.59.0}}
> {{> Accept: */*}}
> {{>}}
> {{< HTTP/1.1 200 OK}}
> {{< Date: Tue, 18 Feb 2020 12:38:35 GMT}}
> {{< Content-Type: message/http}}
> {{< Content-Length: 81}}
> {{< Server: Jetty(9.4.17.v20190418)}}
> {{<}}
> {{TRACE / HTTP/1.1}}
> {{User-Agent: curl/7.59.0}}
> {{Accept: */*}}
> {{Host: 10.32.99.185:8080}}
> {{* Connection #0 to host 10.32.99.185 left intact}}{quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)