xpoweredBy attribute must be disabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-222957 | TCAT-AS-000550 | SV-222957r960963_rule | CCI-000381 | low |
| Description | ||||
| Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-222957r960963_chk)
From the Tomcat server run the following OS command:
sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.
If any connector elements contain xpoweredBy="true", this is a finding.
Fix Text (F-24618r426316_fix)
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.
Examine each <Connector> </Connector> element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false".
sudo systemctl restart tomcat
sudo systemctl daemon-reload