Configuring the BIG-IP system to exclude inode information from Etags

Information

When connecting to the Configuration utility, responses from the Apache server contain an Etag HTTP header that includes the file's inode information.

For example:

ETag: "8d74-ced-eeed38c0"

In this example, 8d74 is the inode of the file printed in hex.

This information is only provided while accessing the management GUI. Therefore, F5 Product Development considers the impact or risk of revealing this information as low.

Some security scanners may detect the system as vulnerable to Apache vulnerability CVE-2003-1418 because the inode information is disclosed. The Apache vulnerability was addressed with the addition of the FileETag httpd setting, which allows the Etag header to be configurable.
However, the default behavior of the Apache service was not changed. The versions of Apache used by the BIG-IP system support the FileETag httpd setting required to configure the Etag header.

Solution

Customers who need to comply with local security requirements can configure the BIG-IP system to exclude inode information from Etags. To do so, perform the following procedure:
1. Log in to tmsh by entering the following command:
tmsh

2. To specify the format to be used for the Etag header, enter the following command:
modify /sys httpd include "FileETag MTime Size"

3. Save the configuration change by entering the following command:
save /sys config

4. To restart the httpd service, enter the following command:
restart /sys service httpd

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-10, CAT|II, CCI|CCI-000054, Rule-ID|SV-74521r2_rule, STIG-ID|F5BI-DM-000003, Vuln-ID|V-60091

Plugin: F5

Control ID: da756150fa100c21aabf12c8b6ae868e9ac034b8e581d4f3e35719faf7c5d73c