Issue
A security scan of your Jenkins installation is warning that the HTTP TRACE/TRACK methods are enabled, and that this is a possible security issue. You want to disable these methods to silence the security warning.
Environment
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Managed controller
-
CloudBees CI (CloudBees Core) on modern cloud platforms - Operations Center
-
CloudBees CI (CloudBees Core) on traditional platforms - Client controller
-
CloudBees CI (CloudBees Core) on traditional platforms - Operations Center
Resolution
Jenkins bundles the Jetty HTTP server and uses this by default as the web application server. Prior to version 2.205, the Jetty configuration file that was bundled with Jenkins did not disable the HTTP TRACE method, and this could cause security scanners to display a warning. We don’t believe that the TRACE method presents any significant security risk, but there is also no practical reason to have it enabled. If you are using a Jenkins version older than 2.205 and you wish to disable HTTP TRACE, you will need to do this manually.
This document is not relevant if you are running Jenkins in Tomcat.
Workaround
1. Make a backup of JENKINS_HOME/war/WEB-INF/web.xml.
2. Edit JENKINS_HOME/war/WEB-INF/web.xml and search for the existing security-constraint sections - there should be two like this already:
<security-constraint>
<web-resource-collection>
<web-resource-name>Hudson</web-resource-name>
<url-pattern>/loginEntry</url-pattern>
<!--http-method>GET</http-method-->
</web-resource-collection>
<auth-constraint>
<role-name>**</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>other</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<!-- no security constraint -->
</security-constraint>
3. Below this, add the following third entry:
<!-- ==================================================================== -->
<!-- Disable TRACE method with security constraint (copied from jetty) -->
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Disable TRACE</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
4. Restart Jenkins.
After this change, you should get a 403 if you try to use the TRACE method, rather than a 200. Please also note that if you upgrade Jenkins, this change will be lost and you will need to perform these steps again.