Michael, Mark and Chris, > Am 02.08.2019 um 01:40 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Michael, > >>>> On 8/1/19 15:21, Michael Osipov wrote: >>>> Am 2019-08-01 um 21:19 schrieb Mark Thomas: >>>> On 01/08/2019 20:07, Justiniano, Tony wrote: >>>> And that is what I was thinking, inadvertently, our scanning >>>> tool just found the apache version during a scan and >>>> corresponded it (the apache version) with a CVE. >>>> >>>> Do you concur? >>> >>> Sounds likely. Most low quality scanning tools only look at the >>> version number. >> >> I was told the same security by obscurity nonsense by our ISEC >> team.
Being the ISEC team(!), I‘d ask you to validate the finding and do your homework, patch (you do, right?) or reconfigure your system and if it is a false positive mark it as such. Done. So you are aware of the possible problems and you have assessed the risk: no http/2==0! (Well you don‘t enable it next week, of course?!) I assume noone here would like a vuln scanner to exploit all issues and tear a system down. But of course there are stupid an better ones (Scanner and ISEC teams ;-)). Nevertheless the process of excluding false positives should be reasonable. > The OP should just set their reported version number to Tomcat 4.3 and > let it completely freak out. Just for the test of it: great idea! But one of the first hardening actions on Tomcat is to disable standard error pages and version info. Server header removed (set to IIS if you like!) <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> You reduce these findings and the info for the attackers. Peter > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1DeFsACgkQHPApP6U8 > pFixVBAAtRtkVQipOISzRnd7eFUpKTgpZeENUvbJlCSrgiKu66IJx+1WDdO81zmj > mAk+F2syOoZgThiB5icu6gISwcpJm4yWWQOb+QileSQtjvkhdgueiv1Hwla74fm3 > jz/FtFc+6xiYGSG07/O9RgJASeM7Dabo+UB7KCXrDpL2WxDw1hU8kWUYIpnR16Ub > 1DlXtOcIlnFe5FLld4WR8VHO6kAjNJd25EvYNqpEOfkG2WpJwkhGsMyDHcom40AF > H5b7nrtpAVi1kaiyWcGVGpyFqUjZfdXYHM9bDDn1dsAkMBiYNDg8tlMT8JtkzZK9 > ULKBwnEJdeKJ6PvVfSDpsRYkSCqVJJXS/5X5Wx41VhbrHxKvnywimHNNxB3bQbAn > LW1rvsP1aD1GaDzBwP2DoUKVUeMqhnVGwM75/Dyi7UjVu79xhoQpnR5aNmtB+k5/ > Kasib1LdFvNpZTs/1UgoG/JjVOd6j8nDe0U44cC23eSYBnq8bsGuaCUmSgsNOvOF > ykA/0cMoGNFw481GZhgggOfAA+l+4m+x8CDQrawlq5d5Hx/6dBDGSjUqo0XWSg0J > zJmJxPVj0024aD0Lt+ZO3U9Z0qIQ8doc0AkKO6t5wFJGAWTccDMsQAQV4UejRBDt > dXpJdvqmZ28yxoOK2PNs8Swo1dg1iFF1xgqtu254nWqlU3/3xV8= > =z4EQ > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >