[
https://issues.apache.org/jira/browse/AIRFLOW-4181?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ash Berlin-Taylor closed AIRFLOW-4181.
--------------------------------------
Resolution: Won't Do
I do not see that disclosing the version of the software is a security risk.
Let's say that a hypothetical vulnerability is disclosed in Gunicorn – what are
the chances that someone is going to just blindlly try it in a scatter-gun
approach, vs see "Oh it doesn't claim to be this version, I won't bother trying
this vulnerability". That is not how automated probes work.
> [security] ui - Server Information Disclosure
> ---------------------------------------------
>
> Key: AIRFLOW-4181
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4181
> Project: Apache Airflow
> Issue Type: Improvement
> Components: security, ui
> Reporter: t oo
> Priority: Trivial
>
> The Airflow application reveals server information through HTTP response
> headers. The following information is provided:
> Server: gunicorn/19.9.0. The application also allows access to a default
> monitoring page /health which provides a small amount of information about
> the server status.
>
> Business Impact/Attack Scenario
> Information regarding the web server, version information, frameworks,
> development methodology or anything related to the infrastructure of an
> application may be collected by an attacker. Information gathered may then be
> used to perform targeted research, vulnerability or exploit development
> against known components or social engineering style attacks against
> application owners. Information gathered also increases the likelihood of
> compromise in the event publicly disclosed vulnerabilities are released.
>
> Recommendation
> Remove the information from application’s HTTP headers in response. Modify
> gunicorn's conf.py and change the following parameter:
> gunicorn.SERVER_SOFTWARE = '<change_server_info_here>'.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
