UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Tomcat server version must not be sent with warnings and errors.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222978 TCAT-AS-000950 SV-222978r557518_rule Low
Description
A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2020-09-23

Details

Check Text ( C-24650r426378_chk )
From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:
Server version:
Server built:
Server number:

EXAMPLE:
Server version: Apache Tomcat
Server built: July 4 2019 14:20:06 UTC
Server number: 9.0.22.0

If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog".

If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.
Fix Text (F-24639r426379_fix)
From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:

sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Edit the ServerInfo.properties file.
sudo nano org/apache/catalina/util/ServerInfo.properties

Change server.info and server.number to read:
server.info=
server.number=

EXAMPLE:
server.info="Standard Server"
server.number=1.0.2.11

Save the ServerInfo.properties file.

Run the following command to update the catalina.jar file:
sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo rm -rf $CATALINA_HOME/lib/org