You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by "Aaron (Jira)" <ji...@apache.org> on 2020/02/18 12:55:00 UTC

[jira] [Created] (ZOOKEEPER-3731) Disable HTTP TRACE Method

Aaron created ZOOKEEPER-3731:
--------------------------------

             Summary: Disable HTTP TRACE Method
                 Key: ZOOKEEPER-3731
                 URL: https://issues.apache.org/jira/"rowse/ZOOKEEPER-3731
             Project: ZooKeeper
          Issue Type: Improvement
    Affects Versions: 3.5.7
            Reporter: Aaron


ZooKeeper uses embedded jetty which allows TRACE method by default. This is a widely-known security concern. Please disable HTTP TRACE method.

 

CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info.

 

Example:
{quote}{{$ curl -vX TRACE 10.32.99.185:8080}}
{{* Rebuilt URL to: 10.32.99.185:8080/}}
{{* Trying 10.32.99.185...}}
{{* TCP_NODELAY set}}
{{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}}
{{> TRACE / HTTP/1.1}}
{{> Host: 10.32.99.185:8080}}
{{> User-Agent: curl/7.59.0}}
{{> Accept: */*}}
{{>}}
{{< HTTP/1.1 200 OK}}
{{< Date: Tue, 18 Feb 2020 12:38:35 GMT}}
{{< Content-Type: message/http}}
{{< Content-Length: 81}}
{{< Server: Jetty(9.4.17.v20190418)}}
{{<}}
{{TRACE / HTTP/1.1}}
{{User-Agent: curl/7.59.0}}
{{Accept: */*}}
{{Host: 10.32.99.185:8080}}
{{* Connection #0 to host 10.32.99.185 left intact}}{quote}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)