[ https://issues.apache.org/jira/browse/ZOOKEEPER-3731?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140886#comment-17140886 ]
Gary Knutson commented on ZOOKEEPER-3731: ----------------------------------------- We too are experiencing the same issue where our vulnerability scanning software is reporting a vulnerability because TRACE is enabled for jetty. > Disable HTTP TRACE Method > ------------------------- > > Key: ZOOKEEPER-3731 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3731 > Project: ZooKeeper > Issue Type: Improvement > Affects Versions: 3.5.7 > Reporter: Aaron > Priority: Critical > > ZooKeeper uses embedded jetty which allows TRACE method by default. This is a > widely-known security concern. Please disable HTTP TRACE method. > > CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info. > > Example: > {quote}{{$ curl -vX TRACE 10.32.99.185:8080}} > {{* Rebuilt URL to: 10.32.99.185:8080/}} > {{* Trying 10.32.99.185...}} > {{* TCP_NODELAY set}} > {{* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)}} > {{> TRACE / HTTP/1.1}} > {{> Host: 10.32.99.185:8080}} > {{> User-Agent: curl/7.59.0}} > {{> Accept: */*}} > {{>}} > {{< HTTP/1.1 200 OK}} > {{< Date: Tue, 18 Feb 2020 12:38:35 GMT}} > {{< Content-Type: message/http}} > {{< Content-Length: 81}} > {{< Server: Jetty(9.4.17.v20190418)}} > {{<}} > {{TRACE / HTTP/1.1}} > {{User-Agent: curl/7.59.0}} > {{Accept: */*}} > {{Host: 10.32.99.185:8080}} > {{* Connection #0 to host 10.32.99.185 left intact}}{quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)