An error occurred:

Check: ISEC-06-551100

ISEC7 Sphere STIG: ISEC-06-551100 (in version v2 r1)

Title

The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file. (Cat II impact)

Discussion

If the version number of Apache Tomcat were visible to an intruder, they could use that information to search for known vulnerabilities of the app. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

Check Content

Verify the version number of Apache Tomcat has been removed from the CATALINA_HOME/lib/catalina.jar file. Open a CMD prompt. cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib Copy to desktop and rename catalina.jar to catalina.zip Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties Open ‘ServerInfo.properties’ with WordPad. Confirm the server version information has been removed. … server.info=Apache Tomcat server.number= server.built= If the version number of Apache Tomcat has not been removed from the CATALINA_HOME/lib/catalina.jar file, this is a finding.

Fix Text

Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information: Open a CMD prompt. cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib Copy to desktop and rename catalina.jar to catalina.zip Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties Open ‘ServerInfo.properties’ with WordPad. Edit the server version information and save. … server.info=Apache Tomcat server.number= server.built= Save file, rename to catalina.jar, and copy back to directory, replacing existing file.

Additional Identifiers

Rule ID: SV-224787r505933_rule

Vulnerability ID: V-224787

Group Title: SRG-APP-000383

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001762

The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
CM-7 (1)

Periodic Review