How to turn off Etag headers?

[Dave Girardin <un...@gmail.com>]

Group,

I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No
other apps run on the server, for example, there is no Apache httpd running.
I have been tasked with turning off Etag headers. Our security folks have
supposedly identified this security vulnerability, note that is says Apache
but it's really Tomcat:

Vulnerability Identified: Apache ETag Header Information Disclosure Weakness

Severity: Low

Description: A cache management feature is available for Apache that makes
use of an entity tag (ETag) header. When this option is enabled and a
request is made for a document relating to a file, for caching purposes, an
ETag response header is returned containing various file attributes. A
weakness has been found in the generation of ETag headers under certain
configurations implementing the FileETag directive.

Impact: Among the file attributes included in the header is the file inode
number that is returned to a client. This poses a security risk, as this
information may aid in launching attacks against other network-based
services. For instance, NFS uses inode numbers to generate file handles.

Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not
configurable to disable the use of inodes in ETag headers. Default behavior
in later versions will still release this sensitive information. OpenBSD has
released a patch that addresses this issue. Inode numbers returned from the
server are now encoded using a private hash to avoid the release of
sensitive information

Can anyone tell me how to disable the ETag headers? I have searched the
documentation and sorry if it's there I missed it.

Thanks!!

David

RE: How to turn off Etag headers?

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Dave Girardin [mailto:unixhound@gmail.com]
> Subject: How to turn off Etag headers?
>
> Impact: Among the file attributes included in the header
> is the file inode number that is returned to a client.

Although paranoia is often helpful when analyzing security risks, I think your assessment team may have gone overboard on this one.  Looking at the source code for DefaultServlet and ResourceAttributes, only a weak ETag is normally sent out, consisting of nothing but the file size and last modified time - unlike httpd, it does not include the inode number.  There is provision for a more detailed ETag (a strong ETag), but as far as I can tell, no use is made of it.

There are three spots is in DefaultServlet that set the ETag header, and none of them appear to be configurable; if your security team insists on disabling ETags, it would be simple to just comment out those three lines.

There's a related article here:
http://blog.bcarlso.net/articles/2007/10/19/tomcat-weak-etags-and-javascript-css-caching
but the examples given contain several errors, so take it with a grain of salt.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

correction gain ! WAS not WSAD.


On Sat, Jun 21, 2008 at 1:58 AM, Youssef Mohammed <
youssef.mohammed@gmail.com> wrote:

>
> > no way !  well at least in our apps a major bank in the
>> > region. we have done extensive tests and we got 10% - 20%
>> > performance gain.
>>
>> Since you're dealing with banking information, I suspect much of your
>> traffic is via SSL.  Turn on the APR connector in Tomcat with OpenSSL and
>> try the measurements again.  The pure Java connector is definitely slower
>> than the httpd/APR one for doing encryption.
>>
>
> we are using seperate hardware to do SSL (SSL offloaders) , we are moving
> the static content on any web app into apache so it won't need to go to
> tomcat to fitch that and here we get the gain.
>
> look Charles , I am really open to get rid of httpd (it is not my cousin
> anyway!) but i need to be convinced.
>
> Note also that commertial application servers (namely WSAD and Oracle ) do
> come with httpd  infront of thier app server.
>
>
>
>


-- 
Regards, Youssef

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

> > no way !  well at least in our apps a major bank in the
> > region. we have done extensive tests and we got 10% - 20%
> > performance gain.
>
> Since you're dealing with banking information, I suspect much of your
> traffic is via SSL.  Turn on the APR connector in Tomcat with OpenSSL and
> try the measurements again.  The pure Java connector is definitely slower
> than the httpd/APR one for doing encryption.
>

we are using seperate hardware to do SSL (SSL offloaders) , we are moving
the static content on any web app into apache so it won't need to go to
tomcat to fitch that and here we get the gain.

look Charles , I am really open to get rid of httpd (it is not my cousin
anyway!) but i need to be convinced.

Note also that commertial application servers (namely WSAD and Oracle ) do
come with httpd  infront of thier app server.

RE: How to turn off Etag headers?

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
> Subject: Re: How to turn off Etag headers?
>
> no way !  well at least in our apps a major bank in the
> region. we have done extensive tests and we got 10% - 20%
> performance gain.

Since you're dealing with banking information, I suspect much of your traffic is via SSL.  Turn on the APR connector in Tomcat with OpenSSL and try the measurements again.  The pure Java connector is definitely slower than the httpd/APR one for doing encryption.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

corrected

On Sat, Jun 21, 2008 at 1:44 AM, Youssef Mohammed <
youssef.mohammed@gmail.com> wrote:

> On Sat, Jun 21, 2008 at 1:29 AM, Caldarale, Charles R <
> Chuck.Caldarale@unisys.com> wrote:
>
>> > From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
>> > Subject: Re: How to turn off Etag headers?
>> >
>> > Although I don't really see a point on not having apache in a real
>> > deployment.
>>
>> Because adding httpd makes things slower.  Read the recent threads about
>> performance comparisons.
>
>
> no way !  well at least in our apps a major bank in the region. we have
> done extensive tests and we got 10% - 20% performance gain.
> from IT prespecitve , it is much better to have httpd as proxy for all your
> web apps inside your enterprise.
>
>>
>>
>>  - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you received
>> this in error, please contact the sender and delete the e-mail and its
>> attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
> --
> Regards, Youssef




-- 
Regards, Youssef

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

On Sat, Jun 21, 2008 at 1:29 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:

> > From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
> > Subject: Re: How to turn off Etag headers?
> >
> > Although I don't really see a point on not having apache in a real
> > deployment.
>
> Because adding httpd makes things slower.  Read the recent threads about
> performance comparisons.


no way !  well at least in your apps a major bank in the region. we have
done extensive tests and we got 10% - 20% performance gain.
from IT prespecitve , it is much better to have httpd as proxy for all your
web apps inside your enterprise.

>
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Regards, Youssef

RE: How to turn off Etag headers?

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
> Subject: Re: How to turn off Etag headers?
>
> Although I don't really see a point on not having apache in a real
> deployment.

Because adding httpd makes things slower.  Read the recent threads about performance comparisons.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

On Sat, Jun 21, 2008 at 1:12 AM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:

> > From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
> > Subject: Re: How to turn off Etag headers?
> >
> > if you are running behind apache ..
>
> Did you read the original message?
>

Sorry I missed that. So doing that thought a filter would be the way to go.
Although I don't really see a point on not having apache in a real
deployment.

>
>
> > > No other apps run on the server, for example, there
> > > is no Apache httpd running.
>
>  - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Regards, Youssef

RE: How to turn off Etag headers?

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Youssef Mohammed [mailto:youssef.mohammed@gmail.com]
> Subject: Re: How to turn off Etag headers?
>
> if you are running behind apache ..

Did you read the original message?

> > No other apps run on the server, for example, there
> > is no Apache httpd running.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to turn off Etag headers?

[Youssef Mohammed <yo...@gmail.com>]

if you are running behind apache .. you can turn that off using the
mod_headers ... you can unset any headers then.

On Fri, Jun 20, 2008 at 8:37 PM, Dave Girardin <un...@gmail.com> wrote:

> Group,
>
> I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No
> other apps run on the server, for example, there is no Apache httpd
> running.
> I have been tasked with turning off Etag headers. Our security folks have
> supposedly identified this security vulnerability, note that is says Apache
> but it's really Tomcat:
>
> Vulnerability Identified: Apache ETag Header Information Disclosure
> Weakness
>
> Severity: Low
>
> Description: A cache management feature is available for Apache that makes
> use of an entity tag (ETag) header. When this option is enabled and a
> request is made for a document relating to a file, for caching purposes, an
> ETag response header is returned containing various file attributes. A
> weakness has been found in the generation of ETag headers under certain
> configurations implementing the FileETag directive.
>
> Impact: Among the file attributes included in the header is the file inode
> number that is returned to a client. This poses a security risk, as this
> information may aid in launching attacks against other network-based
> services. For instance, NFS uses inode numbers to generate file handles.
>
> Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not
> configurable to disable the use of inodes in ETag headers. Default behavior
> in later versions will still release this sensitive information. OpenBSD
> has
> released a patch that addresses this issue. Inode numbers returned from the
> server are now encoded using a private hash to avoid the release of
> sensitive information
>
> Can anyone tell me how to disable the ETag headers? I have searched the
> documentation and sorry if it's there I missed it.
>
> Thanks!!
>
> David
>



-- 
Regards, Youssef