SRV-148 (Jeus) 웹 서비스 정보 노출

SRV-148 (Jeus) 웹 서비스 정보 노출

【 상세설명 】
웹 서버 종류 및 버전 등에 대한 정보가 노출될 경우 공격자가 기타 공격에 활용할 가능성이 있으므로 적절한 보안 설정이 되었는지 점검

【 판단기준 】
- 양호 : 웹 서버 응답에 노출되는 정보가 없는 경우
- 취약 : 웹 서버 응답에 노출되는 정보(서비스명 + 버전정보)가 있는 경우

※ 정보 노출: 서비스명 + 버전 정보가 노출되는 경우 취약

【 판단방법 】
  1. 웹 서비스 설정 파일에서 웹 서비스 정보 노출 제한 설정 확인
      ※  JEUS 6.0 Fix#6 이상 버전은 기본적으로 웹 서비스 정보 노출이 되지 않는 상태로 일반적인 경우 확인 불필요
      ※ Jeus 7 이상 버전 : <response-header><custom-header> 내용이 설정되어 있는 지 확인("서비스명 + 버전 정보" 가 설정되어 있으면 "취약")
      ※ Jeus 6.0 Fix#6 이상 버전 : <command-option> 내 설정 확인("-Djeus.servlet.response.header.serverInfo=true" 가 등록되어 있으면 "취약")
      ※ Jeus 5, 6 : <command-option> 에 "-Djeus.servlet.response.header.serverInfo=false" 가 설정되어 있는 지 확인(등록되어 있지 않으면 "취약")

  ■ Linux, AIX, HP-UX, SOLARIS
      [Jeus 7, 8, 8.5, 21]
      # cat /<Jeus_home_dir>/domains/<domain_name>/config/domain.xml
          <servers>
              <server>
                  <name>Master_Server_Name</name>
                  …
                  <web-engine>
                      …
                      <response-header>
                          <custom-header>
                              <header-field>
                                  <field-name><custom_name></field-name>
                                  <field-value><cusrom_value></field-value>
                              </header-field>
                          </custom-header>
                      </response-header>
                      …

      [Jeus 5, 6]
      # cat /<Jeus_home_dir>/config/<node_name>/JEUSMain.xml
          <jeus-system xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
              <node>
                  <name>Node_Name</name>
                  <engine-container>
                      <name>Container_Name</name>
                      <id>72</id> 
                      <base-port>7000</base-port>
                      <command-option>
                          -Djeus.servlet.response.header.serverInfo=false
                      </command-option>
                      ...
                  </engine-container>

  ■ Windows
      [Jeus 7, 8, 8.5, 21]
      cmd > notepad <Jeus_home_dir>\domains\<domain_name>\config\domain.xml
          <servers>
              <server>
                  <name>Master_Server_Name</name>
                  …
                  <web-engine>
                      …
                      <response-header>
                          <custom-header>
                              <header-field>
                                  <field-name><custom_name></field-name>
                                  <field-value><cusrom_value></field-value>
                              </header-field>
                          </custom-header>
                      </response-header>
                      …

      [Jeus 5, 6]
      cmd > notepad <Jeus_home_dir>\config\<node_name>\JEUSMain.xml
          <jeus-system xmlns="http://www.tmaxsoft.com/xml/ns/jeus">
              <node>
                  <name>Node_Name</name>
                  <engine-container>
                      <name>Container_Name</name>
                      <id>72</id> 
                      <base-port>7000</base-port>
                      <command-option>
                          -Djeus.servlet.response.header.serverInfo=false
                      </command-option>
                      ...
                  </engine-container>

【 조치방법 】
  1. 웹 서비스 설정 파일에서 웹 서비스 정보 노출 제한 설정
      ※ Jeus 7 이상 버전 : <response-header><custom-header> 내용에 "서비스명 + 버전 정보" 문구 삭제(업무상 불필요한 경우 <response-header> 구문 전부 삭제)
      ※ Jeus 6.0 Fix#6 이상 버전 : <command-option> 에 "-Djeus.servlet.response.header.serverInfo=true" 설정 삭제
      ※ Jeus 5, 6 : <command-option> 에 "-Djeus.servlet.response.header.serverInfo=false" 설정 등록
  2. 웹 서비스 재시작

  2024-01-13 : (조치과정 삭제)