GISS Review - Banner Grabbing and Version Disclosure

Document ID : KB000101648
Last Modified Date : 15/06/2018
Show Technical Document Details
Introduction:
When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application
Question:
When a response is received after making a request to the application, the application also sends the banner having the details of the backend server supporting the application. Malicious user can leverage the details (version used, framework) disclosed in the server banners and weak encrypted channels to reduce the scope of his testing and focus on the vulnerabilities of the server. They can try to exploit these vulnerabilities to compromise the web server and the application hosted on that server. It is recommended to configure the server in such a manner that it does not reveal any sensitive information i.e. hide the banner from server response. https://blogs.msdn.microsoft.com/varunm/2013/04/23/remove-unwanted-http-response-headers/
Environment:
PERFORMANCE MANAGEMENT, Release: 3.5, Operating System: RHEL 7.4 
Answer:

In the jetty start.ini file for each service, please un-comment the line for: jetty.httpConfig.sendServerVersion and set the value to false. 
For CAPM 3.5  Release, we don't have an option to disable server header of Karaf. 
Additional Information: