UCF STIG Viewer Logo

Tomcat server version must not be sent with warnings and errors.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222978 TCAT-AS-000950 SV-222978r615938_rule Low
Description
A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-12-27

Details

Check Text ( C-24650r426378_chk )
From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:
Server version:
Server built:
Server number:

EXAMPLE:
Server version: Apache Tomcat
Server built: July 4 2019 14:20:06 UTC
Server number: 9.0.22.0

If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog".

If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.
Fix Text (F-24639r426379_fix)
From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:

sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Edit the ServerInfo.properties file.
sudo nano org/apache/catalina/util/ServerInfo.properties

Change server.info and server.number to read:
server.info=
server.number=

EXAMPLE:
server.info="Standard Server"
server.number=1.0.2.11

Save the ServerInfo.properties file.

Run the following command to update the catalina.jar file:
sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo rm -rf $CATALINA_HOME/lib/org