An error occurred:

Apache Tomcat Application Server 9 STIG Version Comparison

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Comparison

There are 4 differences between versions v2 r5 (July 26, 2023) (the "left" version) and v2 r7 (Jan. 24, 2024) (the "right" version).

Check TCAT-AS-000950 was removed from the benchmark in the "right" version. The text below reflects the old wording.

This check's original form is available here.

Text Differences

Title

Tomcat server version must not be sent with warnings and errors.

Check Content

From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided: Server version: Server built: Server number: EXAMPLE: Server version: Apache Tomcat Server built: July 4 2019 14:20:06 UTC Server number: 9.0.22.0 If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog". If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.

Discussion

A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.

Fix

From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command: sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties Edit the ServerInfo.properties file. sudo nano org/apache/catalina/util/ServerInfo.properties Change server.info and server.number to read: server.info=<Enter Some Random Name or Value> server.number=<Enter Some Random number> EXAMPLE: server.info="Standard Server" server.number=1.0.2.11 Save the ServerInfo.properties file. Run the following command to update the catalina.jar file: sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties Restart the Tomcat server: sudo systemctl restart tomcat sudo rm -rf $CATALINA_HOME/lib/org