Vulnerability scans are showing that there is a HTTP trace method is currently allowed for the AWI when using the Jetty launcher. This is throwing up alerts for the vulnerability scans (see below). Please advise how we can disable the HTTP TRACE / TRACK methods in the JDK?
Please note: The AWI was installed using the Bundled Eclipse Jetty Launcher.
Host Protocol Port Name
10.x.x.xx tcp 8080 HTTP TRACE / TRACK Methods Allowed
java.exe 7328 Services 0 448,904 K
C:\Program Files\Eclipse Adoptium\jdk-126.96.36.199-hotspot\bin
Release : 21.0.1
Product defect prior to the release of 21.0.4
The use of the TRACE method in the Jetty AWI should return a status 405 (method not allowed) instead of 200, but due to a bug was not returning that in earlier versions of 21.0. This has been fixed with the Jetty AWI component with release 21.0.4 which is available for download from downloads.automic.com.
Please note that updating the AWI component also requires an update to the utilities, initialdata, and automationengine components.