JVM version leakage
Description
The web server exposes the Java Virtual Machine (JVM) version information in the HTTP Server response header. This information disclosure occurs when the application server is not properly configured to suppress version details, allowing remote users to identify the specific JVM implementation and version being used without authentication.
Remediation
Configure your application server to suppress JVM version information from HTTP response headers. The specific configuration depends on your server:
For Apache Tomcat:
Edit the server.xml file and set the server attribute in the Connector element:
<Connector port="8080" protocol="HTTP/1.1"
server="" />For Jetty:
Add the following to your configuration:
Server server = new Server(); server.setSendServerVersion(false);
For WildFly/JBoss:
Configure the undertow subsystem in
standalone.xml:<server name="default-server">
<http-listener name="default" socket-binding="http"
server-name="" />
</server>After making changes, restart the application server and verify that the Server header no longer contains JVM version information.