Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-222977 | TCAT-AS-000940 | SV-222977r615938_rule | Medium |
Description |
---|
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml. |
STIG | Date |
---|---|
Apache Tomcat Application Sever 9 Security Technical Implementation Guide | 2021-06-15 |
Check Text ( C-24649r426375_chk ) |
---|
As an elevated user on the Tomcat server run the following command: sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file. If the ErrorReportValve element is not defined and showReport set to "false", this is a finding. EXAMPLE: ... ... |
Fix Text (F-24638r426376_fix) |
---|
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create or modify an ErrorReportValve EXAMPLE: ... Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload |