We recently hired an outside IT security firm to conduct a penetration test of the Automation Engine. Below is one of their findings regarding the AWI:
It should not be possible to identify the used application component versions through, e.g.:
For example, the penetration tester used the above information to discover that the The Vaadin framework used to create the application was version 7.7.17. He was then able to find known vulnerabilities in this version at https://vaadin.com/security.
Would you kindly evaluate this and let us know whether Broadcom would consider implementing this change?
Release : 12.3.6
This will continue to work this way in current versions and will be addressed in a future version as an enhancement in functionality.