Uploaded image for project: 'CloudStack'
  1. CloudStack
  2. CLOUDSTACK-10304

SystemVM - Apache Web Server Version Number Information Disclosure

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 4.11.0.0
    • 4.12.0.0, 4.11.1.0
    • SystemVM
    • Security Level: Public (Anyone can view this level - this is the default.)
    • None

    Description

      The Secondary Storage System VM discloses its Apache Web Server version number in HTTP headers and error pages. This type of information disclosure can lead to medium vulnerabilities being reported in web vulnerability scanners and reveals the Apache server version unnecessarily.

      The apache2 directory structure no longer contains /etc/apache2/conf.d/ in Debian 9 and therefore the appropriate apache2 security configuration file is in another location. The /opt/cloud/bin/setup/common.sh script has not been updated to reflect this.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #2563

          Activity

            People

              bhaisaab Rohit Yadav
              jgilbert Julian Gilbert
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: