Web Server Discloses Software Type And Version Vulnerability when scanning Novell Access Manager

  • 7011409
  • 21-Nov-2012
  • 21-Nov-2012


Identity Server and Access Gateway of 3.2 SP1 installed on Windows 2008 R2
NetIQ Access Manager 3.2 Support Pack 1 applied


Identity (IDP) Server and Access Gateway (AG) of 3.2 SP1 installed and configured on Windows 2008 R2 platform. All Web applications protected by the Access Gateway worked fine ie. users could single sign on to back end applications behind the AG after having successfully authenticated at the IDP server.

Before going live, a security scan of the system found the following vulnerability:

Web Server Discloses Software Type And Version [NOT FIXED]
Source Web Application Assessment
Level Of Severity Suggested Likelihood Of Threat High
Affected Components neologin-staging.novell.com (443/tcp)
The Team observed that the web servers on the affected hosts disclosed information about their software type and version within the HTTP ‘Server’ header field:

Recommend that the web server should be reconfigured to display the minimal amount of information, or to display false information.
Apache servers can be configured to give the minimum amount of information by adding the following directive to the Apache configuration file (usually ‘httpd.conf’ or ‘apache.conf’):
ServerTokens Prod
Alternatively, on Apache-based servers ‘mod_security’ can be used to change the server signature to any value. The following directive should be added to the configuration file:
SecServerSignature "New_Server_Signature


Modify the IDP connector information in the server.xml to add a 'Server=' string.

In the setup above, the Apache-Coyote/1.1 HTTP header was returned by the IDP server. By modifying the C:\Program Files (x86)\Novell\Tomcat\conf\server.xml with the following information:

<Connector NIDP_Name="connector" SSLEnabled="true" URIEncoding="utf-8" acceptCount="0" address="" clientAuth="false" disableUploadTimeout="true" enableLookups="false" keystoreFile="C:\Program Files (x86)\Novell\devman\jcc/certs/idp/connector.keystore" keystorePass="cAOr9312zor2X28" maxThreads="600" minSpareThreads=" 5 " port="8443" scheme="https" sslImplementationName="com.novell.nidp.common.util.net.server.NIDPSSLImplementation" sslProtocol="tls" useBodyEncodingURI="false" server="Confidential"/>

.... and restarting  tomcat using the following

net stop tomcat7
net start tomcat7

The Server HTTP header is displayed as "Confidential".