UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

ErrorReportValve showReport must be set to false.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222977 TCAT-AS-000940 SV-222977r615938_rule Medium
Description
The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types. Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-06-15

Details

Check Text ( C-24649r426375_chk )
As an elevated user on the Tomcat server run the following command:

sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file.

If the ErrorReportValve element is not defined and showReport set to "false", this is a finding.

EXAMPLE:

...

...
Fix Text (F-24638r426376_fix)
As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Create or modify an ErrorReportValve element nested beneath each element.

EXAMPLE:
unpackWARs="true" autoDeploy="false">
...
showReport="false" />



Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload