Check: TCAT-AS-000930
Apache Tomcat 9 STIG:
TCAT-AS-000930
(in version v1 r0.1)
Title
Default error pages for manager application must be customized. (Cat III impact)
Discussion
Default error pages that accompany the manager application provide sensitive information to potential attackers. These error pages provide responses to 401, 402, and 403 error codes and must be modified so the error responses do not provide clients with any sensitive information.
Check Content
From the Tomcat server console, run the following command: sudo cat $CATALINA_HOME/webapps/manager/WEB-INF/jsp/401.jsp Repeat for the 402.jsp and 403.jsp files. The default error files contain default passwords and user accounts. If the error files contained in this folder are not customized and default account information removed, this is a finding.
Fix Text
From the Tomcat server as a privileged user: Use a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove sensitive account information and make the files reflect generic error information that assists users but does not provide sensitive data to users. Save the file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000930_rule
Vulnerability ID: TCAT-AS-000930
Group Title: SRG-APP-000267-AS-000170
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |