our cyber security team has reported vulnerability in Icinga2 agent (both Linux and Windows server versions) which disclose its underlying software version details to end users within the HTTP Server header returned in the response.
This vulnerability provides an attacker with network access to the affected host with information about the version of the backend web server and software framework. Such information can be used to look for known vulnerabilities or exploits for the disclosed software version. With this information attackers can craft more tailored attacks against the target.
Is is possible to add an option to mask this information for example by setting up the ApplicationVersion variable in the future releases of Icinga2 agent?
I think that it is a good idea to have something like that, apache can hide its version too, but don’t rely on security by obscurity that much.
Software like wordpress, nextcloud, MS Exchange expose their version out of the box and I don’t see anyone pointing a finger on them. Yes there are many “patches” and tutorials out there how to hide that, but on most of the instances these settings are default.
Keep your software up to date.
anyway you could create a github issue for that and or provide a pull request:
Some thoughts on my side, hide the version if unauthenticated, expose it for authenticated users. That should be like one additional if clause.