[ZOOKEEPER-3731] Disable HTTP TRACE Method - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.5.7
Fix Version/s: 3.9.0
Component/s: None
Labels:
- pull-request-available

Description

ZooKeeper uses embedded jetty which allows TRACE method by default. This is a widely-known security concern. Please disable HTTP TRACE method.

CVE-2004-2320, CVE-2010-0386, CVE-2003-1567 for more info.

Example:

$ curl -vX TRACE 10.32.99.185:8080
* Rebuilt URL to: 10.32.99.185:8080/
* Trying 10.32.99.185...
* TCP_NODELAY set
* Connected to 10.32.99.185 (10.32.99.185) port 8080 (#0)
> TRACE / HTTP/1.1
> Host: 10.32.99.185:8080
> User-Agent: curl/7.59.0
> Accept: /
>
< HTTP/1.1 200 OK
< Date: Tue, 18 Feb 2020 12:38:35 GMT
< Content-Type: message/http
< Content-Length: 81
< Server: Jetty(9.4.17.v20190418)
<
TRACE / HTTP/1.1
User-Agent: curl/7.59.0
Accept: /
Host: 10.32.99.185:8080
* Connection #0 to host 10.32.99.185 left intact

Attachments

Issue Links

links to

GitHub Pull Request #1539

GitHub Pull Request #1682

Activity

People

Assignee:: Enrico Olivelli

Reporter:: Aaron

Votes:: 4 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 18/Feb/20 12:54

Updated:: 04/Aug/23 11:28

Resolved:: 08/Mar/23 13:08

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1h 40m