ErrorReportValve showReport must be set to false.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222977	TCAT-AS-000940	SV-222977r615938_rule		Medium

Description
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml.

Description

The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-06-15

Details

Check Text ( C-24649r426375_chk )
As an elevated user on the Tomcat server run the following command: sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file. If the ErrorReportValve element is not defined and showReport set to "false", this is a finding. EXAMPLE: ... ...

Fix Text (F-24638r426376_fix)
As a privileged user on the Tomcat server: Edit the $CATALINA_BASE/conf/server.xml file. Create or modify an ErrorReportValve element nested beneath each element. EXAMPLE: unpackWARs="true" autoDeploy="false"> ... showReport="false" /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload