UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Default error pages for manager application must be customized.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222976 TCAT-AS-000930 SV-222976r879656_rule Low
Description
Default error pages that accompany the manager application provide educational information on how to configure user accounts and groups for accessing the manager application. These error pages provide responses to 401 (Unauthorized), 403 (Forbidden), and 404 (Not Found) JSP error codes and should not exist on production systems.
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-06-05

Details

Check Text ( C-24648r426372_chk )
From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/webapps/manager/WEB-INF/jsp/401.jsp

Repeat for the 402.jsp and 403.jsp files.

The default error files contain sample passwords and user accounts.

If the error files contained in this folder are not customized and sample information removed, this is a finding.
Fix Text (F-24637r426373_fix)
From the Tomcat server as a privileged user:

sudo cd $CATALINA_BASE/webapps/manager/WEB-INF/jsp/

Use a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove account information and make the files reflect generic error information that assists users but does not provide sample data to users.

Save the file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload