You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@zookeeper.apache.org by "Michel Wigbers (Jira)" <ji...@apache.org> on 2020/09/30 06:52:00 UTC

[jira] [Commented] (ZOOKEEPER-3731) Disable HTTP TRACE Method

    [ https://issues.apache.org/jira/browse/ZOOKEEPER-3731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17204491#comment-17204491 ] 

Michel Wigbers commented on ZOOKEEPER-3731:
-------------------------------------------

Guardian360 is reporting this as a security issue

> Disable HTTP TRACE Method
> -------------------------
>
>                 Key: ZOOKEEPER-3731
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3731
>             Project: ZooKeeper
>          Issue Type: Improvement
>    Affects Versions: 3.5.7
>            Reporter: Aaron
>            Priority: Critical
>
> ZooKeeper uses embedded jetty which allows TRACE method by default. This is a widely-known security concern. Please disable HTTP TRACE method.
>  
> CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info.
>  
> Example:
> {quote}{{$ curl -vX TRACE 10.32.99.185:8080}}
> {{* Rebuilt URL to: 10.32.99.185:8080/}}
> {{* Trying 10.32.99.185...}}
> {{* TCP_NODELAY set}}
> {{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}}
> {{> TRACE / HTTP/1.1}}
> {{> Host: 10.32.99.185:8080}}
> {{> User-Agent: curl/7.59.0}}
> {{> Accept: */*}}
> {{>}}
> {{< HTTP/1.1 200 OK}}
> {{< Date: Tue, 18 Feb 2020 12:38:35 GMT}}
> {{< Content-Type: message/http}}
> {{< Content-Length: 81}}
> {{< Server: Jetty(9.4.17.v20190418)}}
> {{<}}
> {{TRACE / HTTP/1.1}}
> {{User-Agent: curl/7.59.0}}
> {{Accept: */*}}
> {{Host: 10.32.99.185:8080}}
> {{* Connection #0 to host 10.32.99.185 left intact}}{quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)