Security Findings : CVE-2000-0649 in EM jetty

book

Article ID: 144883

calendar_today

Updated On:

Products

CA Application Performance Management Agent (APM / Wily / Introscope) CA Application Performance Management (APM / Wily / Introscope) INTROSCOPE DX Application Performance Management

Issue/Introduction

Dear Sir or Madam, 1. Which version of Jetty is being used within CA APM 10.5.2.99? 2. Is there a configuration that we can add to prevent the web server on EM-MOM (webview) from including the internal IP address within the HTTP Header? During a security scan, found that the Jetty server on our EM-MOM has a security finding, of the internal IP address being included in the HTTP header.
Reviewing the various resources and knowing that it is a Jetty web server, found the following link: http://jetty.4.x6.nabble.com/jetty-users-NAT-with-HTTP-1-0-returns-internal-IP-address-td4960322.html Web Server HTTP Header Internal IP Disclosure Plugin Details Severity: Low ID: 10759 File Name: iis_nat.nasl Version: 1.60 Type: remote Family: Web Servers Published: 2001/09/14 Updated: 2019/03/27 Dependencies: 11919, 10107, 17975 Risk Information Risk Factor: Low CVSS Score Source: CVE-2000-0649

Environment

Release :

Component : Introscope

Resolution

Jetty 9 is available from the 10.7.0HF22 build, which comes with SP3.

>is there a way with the Jetty version present to change the 302 (redirect) to use the DNS name instead of the IP address?
Have not found any other way other adding a virtual host name list to web app context. APM uses embedded jetty so adding virtual hosts should be done at the code level.
we can make configurable XML file to added virtual host but it will be an enhancement request.