OHS must have Entity tags (ETags) disabled.
An XCCDF Rule
Description
<VulnDiscussion>Entity tags (ETags) are used for cache management to save network bandwidth by not sending a web page to the requesting client if the cached version on the client is current. When the client only has the ETag information, the client will make a request to the server with the ETag. The server will then determine if the client can use the client cached version of the web page or if a new version is required. As part of the ETag information, the server sends to the client the index node (inode) information for the file being requested. The inode information gives an attacker sensitive information like inode number, multipart MIME boundaries and makes certain NFS attacks much simpler to execute.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-221417r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
1. Open $DOMAIN_HOME/config/fmwconfig/components/OHS/<componentName>/httpd.conf and every .conf file (e.g., ssl.conf) included in it with an editor.
2. Search for the "Header" and "FileETag" directives at the OHS server, virtual host, or directory configuration scopes.
3a. Set the "Header" directive to "unset ETag", add the directive if it does not exist.
3b. Set the "FileETag" directive to "none", add the directive if it does not exist.