[ 
https://issues.apache.org/jira/browse/CLOUDSTACK-10304?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Julian Gilbert updated CLOUDSTACK-10304:
----------------------------------------
    Description: 
{color:#000000}The Secondary Storage System VM discloses its Apache Web Server 
version number in HTTP headers and error pages. This type of information 
disclosure can lead to medium vulnerabilities being reported in web 
vulnerability scanners and reveals the Apache server version 
unnecessarily.{color}

{color:#000000}The apache2 directory structure no longer contains 
/etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 security 
configuration file is in another location. The /opt/cloud/bin/setup/common.sh 
script has not been updated to reflect this.{color}

  was:
{color:#000000}The Secondary Storage System VM discloses its Apache Server 
version number in HTTP headers and error pages. This type of information 
disclosure can lead to medium vulnerabilities being reported in web 
vulnerability scanners and reveals the Apache server version 
unnecessarily.{color}

{color:#000000}The apache2 directory structure no longer contains 
/etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 security 
configuration file is in another location. The /opt/cloud/bin/setup/common.sh 
script has not been updated to reflect this.{color}


> Apache Server Version Number Information Disclosure from System VM
> ------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-10304
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10304
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the 
> default.) 
>          Components: SystemVM
>    Affects Versions: 4.11.0.0
>            Reporter: Julian Gilbert
>            Priority: Major
>
> {color:#000000}The Secondary Storage System VM discloses its Apache Web 
> Server version number in HTTP headers and error pages. This type of 
> information disclosure can lead to medium vulnerabilities being reported in 
> web vulnerability scanners and reveals the Apache server version 
> unnecessarily.{color}
> {color:#000000}The apache2 directory structure no longer contains 
> /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 
> security configuration file is in another location. The 
> /opt/cloud/bin/setup/common.sh script has not been updated to reflect 
> this.{color}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to