search cancel

Disable track /trace method for Eclipse Adoptium

book

Article ID: 252835

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation

Issue/Introduction

Vulnerability scans are showing that there is a HTTP trace method is currently allowed for the AWI when using the Jetty launcher. This is throwing up alerts for the vulnerability scans (see below). Please advise how we can disable the HTTP TRACE / TRACK methods in the JDK?

Please note: The AWI was installed using the Bundled Eclipse Jetty Launcher.



Host      Protocol              Port       Name

10.x.x.xx            tcp         8080      HTTP TRACE / TRACK Methods Allowed

java.exe                      7328 Services                   0    448,904 K

C:\Program Files\Eclipse Adoptium\jdk-11.0.14.101-hotspot\bin

Environment

Release : 21.0.1

Cause

Product defect prior to the release of 21.0.4

Resolution

The use of the TRACE method in the Jetty AWI should return a status 405 (method not allowed) instead of 200, but due to a bug was not returning that in earlier versions of 21.0.  This has been fixed with the Jetty AWI component with release 21.0.4 which is available for download from downloads.automic.com. 

Please note that updating the AWI component also requires an update to the utilities, initialdata, and automationengine components.