Check: TCAT-AS-000550
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000550
(in versions v2 r7 through v1 r1)
Title
xpoweredBy attribute must be disabled. (Cat III impact)
Discussion
Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients.
Check Content
From the Tomcat server run the following OS command: sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby. If any connector elements contain xpoweredBy="true", this is a finding.
Fix Text
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file. Examine each <Connector> </Connector> element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false". sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222957r879587_rule
Vulnerability ID: V-222957
Group Title: SRG-APP-000141-AS-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |