By default, the JBoss utility server has its personal id within the HTTP response header, which is taken into account an data leak vulnerability.
And in case you are working in a PCI compliant setting, you need to repair it.
Default configuration is displayed Server
banner as follows: HTTP response header
Server: Apache-Coyote/1.1
Implementation
- Go to the JBoss/bin folder
- Add the next
standalone.conf
underJAVA_OPTS
variable
-Dorg.apache.coyote.http11.Http11Protocol.SERVER=JbossSecureServer
Ex:
JAVA_OPTS="-Xms512m -Xmx512m -XX:MaxPermSize=256m -Xss168K -Djava.internet.preferIPv4Stack=true -Dorg.jboss.resolver.warning=true -Dsun.rmi.dgc.consumer.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Dfile.encoding=UTF-8 -Dorg.apache.coyote.http11.Http11Protocol.SERVER=JbossSecureServer"
- Restart the JBoss utility server and you need to see it
Server
header has been modified.
If you wish to study extra about JBoss, try this course from Packt Publishing.