Check: TCAT-AS-000950
Apache Tomcat 9 STIG:
TCAT-AS-000950
(in version v1 r0.1)
Title
Tomcat server version must not be sent with warnings and errors. (Cat III impact)
Discussion
Remove version string from HTTP error messages by repacking CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.
Check Content
From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case-sensitive command: sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties Check the ServerInfo.properties file. sudo grep -i server org/apache/catalina/util/ServerInfo.properties If server.info=Apache Tomcat or server.number=the actual Tomcat version, this is a finding.
Fix Text
From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case-sensitive command: sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties Edit the ServerInfo.properties file. sudo nano org/apache/catalina/util/ServerInfo.properties Change server.info and server.number to read: server.info=Nunya server.number=1.2.3.4 Save the ServerInfo.properties file. Run the following command to update the catalina.jar file: sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties Restart the Tomcat server: sudo systemctl restart tomcat sudo rm -rf opt/
Additional Identifiers
Rule ID: TCAT-AS-000950_rule
Vulnerability ID: TCAT-AS-000950
Group Title: SRG-APP-000267-AS-000170
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
Controls
Number | Title |
---|---|
SI-11 |
Error Handling |