Information Disclosure issue on Virtual Appliance as JSP version is shown in HTTP header
search cancel

Information Disclosure issue on Virtual Appliance as JSP version is shown in HTTP header

book

Article ID: 261778

calendar_today

Updated On:

Products

CA Identity Suite

Issue/Introduction

 JSP Version number is shown in HTTP header running the following command against Identity Suite Virtual Appliance with IM running.


[root@xxxxxxxx ~]# curl -I --insecure https://xx.xx.xx.xx/iam/im/index.jsp
HTTP/1.1 302 Found
Date: Sun, 26 Feb 2023 23:26:53 GMT
Server: vApp Web Server
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains
*X-Powered-By: JSP/2.3*
Location: logout.jsp
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 1
Set-Cookie: JSESSIONID=uJ75qDd67VUAy6uprN7b4B2aCb_24qyjBdQ4_oJT.iamnode1; path=/iam/im
Via: 1.1 CA_IMAG_VAPP


The web server/application should be configured to not disclose Version number to the user. Error messages for end users should only contain information that is relevant to them and should not reveal any other internal information. This is an information disclosure issue.

Can we remediate this problem?

 

Environment

Release : Virtual Appliance 14.4.x

Resolution

This is a known issue and has been recorded as DE559493.
As of this article is written, there is available fix for vApp 14.4.1.

Please raise a Support Call ticket and inform about this KB article to get the fix.

Powered by Wolken Software