tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dave Girardin" <>
Subject How to turn off Etag headers?
Date Fri, 20 Jun 2008 17:37:54 GMT

I'm a Unix admin working on a Solaris 8 server running Tomcat 6.0.16. No
other apps run on the server, for example, there is no Apache httpd running.
I have been tasked with turning off Etag headers. Our security folks have
supposedly identified this security vulnerability, note that is says Apache
but it's really Tomcat:

Vulnerability Identified: Apache ETag Header Information Disclosure Weakness

Severity: Low

Description: A cache management feature is available for Apache that makes
use of an entity tag (ETag) header. When this option is enabled and a
request is made for a document relating to a file, for caching purposes, an
ETag response header is returned containing various file attributes. A
weakness has been found in the generation of ETag headers under certain
configurations implementing the FileETag directive.

Impact: Among the file attributes included in the header is the file inode
number that is returned to a client. This poses a security risk, as this
information may aid in launching attacks against other network-based
services. For instance, NFS uses inode numbers to generate file handles.

Recommendation: Disable ETag headers. Apache 1.3.22 and earlier are not
configurable to disable the use of inodes in ETag headers. Default behavior
in later versions will still release this sensitive information. OpenBSD has
released a patch that addresses this issue. Inode numbers returned from the
server are now encoded using a private hash to avoid the release of
sensitive information

Can anyone tell me how to disable the ETag headers? I have searched the
documentation and sorry if it's there I missed it.



  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message