How can I disable the HTTP TRACE method in Jenkins?

Issue

A security scan of your Jenkins installation is warning that the HTTP TRACE/TRACK methods are enabled, and that this is a possible security issue. You want to disable these methods to silence the security warning.

Environment

Resolution

Jenkins bundles the Jetty HTTP server and uses this by default as the web application server. Prior to version 2.205, the Jetty configuration file that was bundled with Jenkins did not disable the HTTP TRACE method, and this could cause security scanners to display a warning. We don’t believe that the TRACE method presents any significant security risk, but there is also no practical reason to have it enabled. If you are using a Jenkins version older than 2.205 and you wish to disable HTTP TRACE, you will need to do this manually.

This document is not relevant if you are running Jenkins in Tomcat.

Workaround

1. Make a backup of JENKINS_HOME/war/WEB-INF/web.xml.

2. Edit JENKINS_HOME/war/WEB-INF/web.xml and search for the existing security-constraint sections - there should be two like this already:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Hudson</web-resource-name>
      <url-pattern>/loginEntry</url-pattern>
      <!--http-method>GET</http-method-->
    </web-resource-collection>
    <auth-constraint>
      <role-name>**</role-name>
    </auth-constraint>
  </security-constraint>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>other</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <!-- no security constraint -->
  </security-constraint>

3. Below this, add the following third entry:

  <!-- ==================================================================== -->
  <!-- Disable TRACE method with security constraint (copied from jetty)    -->
  <!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  -->
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Disable TRACE</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>TRACE</http-method>
    </web-resource-collection>
    <auth-constraint/>
  </security-constraint>

4. Restart Jenkins.

After this change, you should get a 403 if you try to use the TRACE method, rather than a 200. Please also note that if you upgrade Jenkins, this change will be lost and you will need to perform these steps again.

Have more questions?

0 Comments

Please sign in to leave a comment.