Title

Stack tracing must be disabled in Apache Tomcat. (Cat II impact)

Discussion

The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

Check Content

Verify stack tracing has been disabled in Apache Tomcat. Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF Open web.xml with Notepad.exe Scroll to the end of the file. Confirm there are no comment tags <!--" and "--> and the following exists without comment tags: <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> If stack tracing has not been disabled in Apache Tomcat, this is a finding.

Fix Text

Remove the default error page by updating the web application web.xml file. Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF Open web.xml with Notepad.exe Scroll to the end of the file. Remove the comment tags <!--" and "--> <!-- <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> --> Save the changes. This will acknowledge to the user that an exception occurred without showing any trace or source information.

Additional Identifiers

Rule ID: SV-224788r505933_rule

Vulnerability ID: V-224788

Group Title: SRG-APP-000383

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.