I recently got updated by InfoSec that we need to be careful about ETags using Apache WebServer (HTTPD) as they reveal inode and can be exploited especially in NFS etc.
But I am moving to Tomcat 7. Do I need to care about all these ETag vulnerabilities in Tomcat also ? If Yes, how can I mitigate ?
Thanks.
Security tools sometimes report this ETag inode exposure when it is not there.
Unless you have an ancient Apache version (1.3.27 or earlier), I'd recommend you challenge the infosec team to prove that it is real.
Tomcat 7 is a completely different product written in Java and does not calculate the ETags in a way that can expose sensitive server information. So, No.
