topic Re: Apache Web Server ETag Header Information Disclosure in Administration and Deployment

Apache Web Server ETag Header Information Disclosure

rkalapala — Wed, 28 Jun 2017 06:27:48 GMT

Hi,

We wanted to disable ETag header information in our SAS mid tier, please help.

Re: Apache Web Server ETag Header Information Disclosure

Kurt_Bremser — Wed, 28 Jun 2017 06:38:22 GMT

Add

<IfModule headers_module>
  Header unset Etag
  FileETag none
</IfModule>

to /.../Lev1/Web/WebServer/conf/httpd.conf and restart the web server.

Reference:

http://www.websiteoptimization.com/secrets/advanced/configure-etags.html

Disclaimer: I have no idea if or how that might affect the SAS webapps.

Re: Apache Web Server ETag Header Information Disclosure

rkalapala — Wed, 28 Jun 2017 06:46:42 GMT

Thank you for your solution, it didn't help. I am still getting ETag information.

Re: Apache Web Server ETag Header Information Disclosure

alexal — Wed, 28 Jun 2017 07:18:18 GMT

@rkalapala,

What exactly is not working? Have you restarted the web server? You can try to add "Header unset Etag" without any "if" conditions.

Re: Apache Web Server ETag Header Information Disclosure

rkalapala — Wed, 28 Jun 2017 07:24:04 GMT

@alexal

Actually we wanted to remove Etag header information, I tried to add without if and with if, still it is displaying the Etag header information. I restarted Web Server after update.

Thank you

Re: Apache Web Server ETag Header Information Disclosure

alexal — Wed, 28 Jun 2017 07:30:48 GMT

@rkalapala,

That should work, but let me ask you, why are you wanted to remove Etag header information? We do not recommend making to do any changes in http.conf, unless they were suggested by technical support. What are you trying to achieve?

Re: Apache Web Server ETag Header Information Disclosure

rkalapala — Wed, 28 Jun 2017 07:34:13 GMT

@alexal

Our security team found that Apache Server ETag Header Information Disclosure, we have been asked to remediate, so we are disabling the Etag.

By the way your solution worked.

Re: Apache Web Server ETag Header Information Disclosure

Kurt_Bremser — Wed, 28 Jun 2017 07:34:14 GMT

How did you restart the web server? I recommend using

/..../Lev1/Web/WebServer/bin/httpdctl stop

(issued as the SAS install user)

then check if no httpd process is still running (ps -e|grep httpd)

and then issue

/..../Lev1/Web/WebServer/bin/httpdctl start

(again as SAS install user)

Re: Apache Web Server ETag Header Information Disclosure

rkalapala — Wed, 28 Jun 2017 07:36:52 GMT

@Kurt_Bremser

I restarted web server as same way as recommended.

/..../Lev1/Web/WebServer/bin/httpdctl stop

/..../Lev1/Web/WebServer/bin/httpdctl start

Thank you for your help

Re: Apache Web Server ETag Header Information Disclosure

JuanS_OCS — Wed, 28 Jun 2017 07:47:30 GMT

@alexal,

on most of the big companies, or companies where security is not a must, but also there are audit procedures, they have periodic checks specially meant for the web applications, where alarms may raise, such as the Poodle and others related to SSL.

As consultant, I received several request on several clients to close this vulnerability. Of course, for the first request, I did my homework checking with SAS Technical Support. Once I had the green light, I did the change and some validations, no problem.

I feel curious: how come that this vulnerability is not included in https://support.sas.com/en/security-bulletins.html and not included on a hotfix? Is it in use by any SAS Web application?

Re: Apache Web Server ETag Header Information Disclosure

alexal — Wed, 28 Jun 2017 08:03:36 GMT

@JuanS_OCS,

I do not have any details about this vulnerability, but I would suggest to open a technical support track and request that information. We have a specific procedure that we need to follow when contacting Product Security Incident Response Team (PSIRT), so only this team can respond.

Re: Apache Web Server ETag Header Information Disclosure

Kurt_Bremser — Wed, 28 Jun 2017 08:36:29 GMT

Have a look at https://communities.sas.com/t5/SASware-Ballot-Ideas/Keep-3rd-party-software-current/idi-p/355959, where I suggested that SAS should keep the third-party web server software (apache and tomcat, both open-source) up-to-date, better than it is doing now.