Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000203558

Security Scanners Identify Avamar Server for Having HTTP OPTIONS Method Enabled

Summary: Security scanners identify Avamar server for having http OPTIONS method enabled.

Article Content

Security Article Type

Security KB

Issue Summary

The http OPTIONS method is useful for debugging but should be disabled when not in use. TRACE should also be disabled for the same reason, although security scanners do not always identify TRACE.

Details

To see what http methods are allowed from the Avamar command line, run the command: 

curl --head --insecure --location --request OPTIONS https://localhost

Example when http OPTIONS is allowed: 
root@avmtest5:~/#: curl --head --insecure --location --request OPTIONS https://localhost
HTTP/1.1 301 Moved Permanently
Date: Mon, 19 Sep 2022 19:14:25 GMT
Server: Apache
Location: https://localhost/dtlt/home.html
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:14:25 GMT
Content-Length: 240
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 200
Date: Mon, 19 Sep 2022 19:14:25 GMT
Server: Apache
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: JSESSIONID=F3B34D7245B31DF7BB43763A15D412C6; Path=/dtlt; Secure; HttpOnly; SameSite=Strict
Allow: GET, HEAD, POST, TRACE, OPTIONS
Content-Language: en-US
Content-Length: 0
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:14:25 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Vary: User-Agent
Content-Type: text/html

Recommendations

Remove the http OPTIONS:
  1. Edit the Apache2 configuration for httpd after making a backup:
cp -p /etc/apache2/httpd.conf /etc/apache2/x-httpd.conf.backup
vi /etc/apache2/httpd.conf
  1. Add the following lines to the bottom of the file:
<Location />
    <LimitExcept GET POST HEAD PUT DELETE>
        Require all denied
    </LimitExcept>
</Location>
  1. Restart Apache2:
systemctl restart apache2
  1. Test again with the curl command to confirm that the OPTIONS request is now blocked:
curl --head --insecure --location --request OPTIONS https://localhost

Expected output when http OPTIONS is disabled: 
root@test-server:~/#: curl --head --insecure --location --request OPTIONS https://localhost
HTTP/1.1 301 Moved Permanently
Date: Mon, 19 Sep 2022 19:07:37 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Location: https://localhost/dtlt/home.html
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:07:37 GMT
Content-Length: 240
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 503 Service Unavailable
Date: Mon, 19 Sep 2022 19:07:37 GMT
Server: Apache
Vary: accept-language,accept-charset,Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Accept-Ranges: bytes
X-FRAME-OPTIONS: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en

Legal Information

Article Properties

Affected Product

Avamar Server

Last Published Date

23 Sep 2022

Version

1

Article Type

Security KB

Back to Top