Tomcat server version must not be sent with warnings and errors.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-222978	TCAT-AS-000950	SV-222978r615938_rule		Low

Description
A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.

Description

A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts. Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.

STIG	Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide	2021-06-15

Details

Check Text ( C-24650r426378_chk )
From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided: Server version: Server built: Server number: EXAMPLE: Server version: Apache Tomcat Server built: July 4 2019 14:20:06 UTC Server number: 9.0.22.0 If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog". If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.

Check Text ( C-24650r426378_chk )

From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:
Server version:
Server built:
Server number:

EXAMPLE:
Server version: Apache Tomcat
Server built: July 4 2019 14:20:06 UTC
Server number: 9.0.22.0

If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog".

If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.

Fix Text (F-24639r426379_fix)
From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command: sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties Edit the ServerInfo.properties file. sudo nano org/apache/catalina/util/ServerInfo.properties Change server.info and server.number to read: server.info= server.number= EXAMPLE: server.info="Standard Server" server.number=1.0.2.11 Save the ServerInfo.properties file. Run the following command to update the catalina.jar file: sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties Restart the Tomcat server: sudo systemctl restart tomcat sudo rm -rf $CATALINA_HOME/lib/org

Fix Text (F-24639r426379_fix)

From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:

sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Edit the ServerInfo.properties file.
sudo nano org/apache/catalina/util/ServerInfo.properties

Change server.info and server.number to read:
server.info=
server.number=

EXAMPLE:
server.info="Standard Server"
server.number=1.0.2.11

Save the ServerInfo.properties file.

Run the following command to update the catalina.jar file:
sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo rm -rf $CATALINA_HOME/lib/org