Avamar: Security Scanner flag Avamar server for HTTP OPTIONS Method Enabled

Summary: Security scanners identify Avamar server for having http OPTIONS method enabled.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Security Article Type

Security KB

Issue Summary

The http OPTIONS method is useful for debugging but should be disabled when not in use. TRACE should also be disabled for the same reason, although security scanners do not always identify TRACE.

Details

To see what http methods are allowed from the Avamar command line, run the command: 

curl --head --insecure --location --request OPTIONS https://localhost

Example when http OPTIONS is allowed: 
root@avmtest5:~/#: curl --head --insecure --location --request OPTIONS https://localhost
HTTP/1.1 301 Moved Permanently
Date: Mon, 19 Sep 2022 19:14:25 GMT
Server: Apache
Location: https://localhost/dtlt/home.html
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:14:25 GMT
Content-Length: 240
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 200 200
Date: Mon, 19 Sep 2022 19:14:25 GMT
Server: Apache
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: JSESSIONID=F3B34D7245B31DF7BB43763A15D412C6; Path=/dtlt; Secure; HttpOnly; SameSite=Strict
Allow: GET, HEAD, POST, TRACE, OPTIONS
Content-Language: en-US
Content-Length: 0
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:14:25 GMT
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Vary: User-Agent
Content-Type: text/html

Recommendations

Remove the http OPTIONS:

  1. Make a backup of the Apache2 configuration for httpd:
cp -p /etc/apache2/httpd.conf /etc/apache2/x-httpd.conf.backup
  1.  Edit the configuration
    vi /etc/apache2/httpd.conf
  2. Add the following lines to the bottom of the file:
<Location />
    <LimitExcept GET POST HEAD PUT DELETE>
        Require all denied
    </LimitExcept>
</Location>
  1. Restart Apache2:
systemctl restart apache2
  1. Test again with the curl command to confirm that the OPTIONS request is now blocked:
curl --head --insecure --location --request OPTIONS https://localhost

Expected output when http OPTIONS is disabled: 
root@test-server:~/#: curl --head --insecure --location --request OPTIONS https://localhost
HTTP/1.1 301 Moved Permanently
Date: Mon, 19 Sep 2022 19:07:37 GMT
Server: Apache
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Location: https://localhost/dtlt/home.html
Cache-Control: max-age=7200000
Expires: Mon, 12 Dec 2022 03:07:37 GMT
Content-Length: 240
Content-Type: text/html; charset=iso-8859-1

HTTP/1.1 503 Service Unavailable
Date: Mon, 19 Sep 2022 19:07:37 GMT
Server: Apache
Vary: accept-language,accept-charset,Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Public-Key-Pins: pin-sha256="klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY="; pin-sha256="633lt352PKRXbOwf4xSEa1M517scpD3l5f79xMD9r9Q="; max-age=2592000; includeSubDomains
Accept-Ranges: bytes
X-FRAME-OPTIONS: SAMEORIGIN
Connection: close
Content-Type: text/html; charset=utf-8
Content-Language: en

Legal Disclaimer

Affected Products

Avamar Server
Article Properties
Article Number: 000203558
Article Type: Security KB
Last Modified: 22 Apr 2025
Version:  2
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.