Our IBM HTTP Server is running with the version 18.104.22.168. Our security scanner revealed that there were some ETag Inode Information Leakage vulnerabilities on our IHS with CVE-2003-1418. I see suggestion to add below line to our http.conf:
#Disabling ETag headers in IBM HTTP Server FileETag None
Do we need any thing else to address this issue? Please advise.
The vulnerability itself (CVE-2003-1418) is documented at the following websites
As stated, "Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID)."
However, generally speaking, CVE-2003-1418 is not considered a vulnerability by the Apache / IHS community since the behavior can be easily configured with the FileETag directive. Here's the documentation on FileETag:
Defining FileETag with any value that excludes the iNode attribute resolves the vulnerability. So yes, defining it with None as you've mentioned would be fine since this implicitly excludes inode: