Security Findings : CVE-2000-0649 in EM jetty

Article Id: 144883

Status: Published

Updated On: 21-04-2020 16:35

Products:

CA Application Performance Management Agent (APM / Wily / Introscope) , CA Application Performance Management (APM / Wily / Introscope) , INTROSCOPE , DX Application Performance Management

Issue/Introduction:

Dear Sir or Madam, 1. Which version of Jetty is being used within CA APM 10.5.2.99? 2. Is there a configuration that we can add to prevent the web server on EM-MOM (webview) from including the internal IP address within the HTTP Header? During a security scan, found that the Jetty server on our EM-MOM has a security finding, of the internal IP address being included in the HTTP header.

Reviewing the various resources and knowing that it is a Jetty web server, found the following link: http://jetty.4.x6.nabble.com/jetty-users-NAT-with-HTTP-1-0-returns-internal-IP-address-td4960322.html Web Server HTTP Header Internal IP Disclosure Plugin Details Severity: Low ID: 10759 File Name: iis_nat.nasl Version: 1.60 Type: remote Family: Web Servers Published: 2001/09/14 Updated: 2019/03/27 Dependencies: 11919, 10107, 17975 Risk Information Risk Factor: Low CVSS Score Source: CVE-2000-0649

Environment:

Release :

Component : Introscope

Resolution:

Jetty 9 is available from the 10.7.0HF22 build, which comes with SP3.

>is there a way with the Jetty version present to change the 302 (redirect) to use the DNS name instead of the IP address?
Have not found any other way other adding a virtual host name list to web app context. APM uses embedded jetty so adding virtual hosts should be done at the code level.
we can make configurable XML file to added virtual host but it will be an enhancement request.