UCF STIG Viewer Logo

xpoweredBy attribute must be disabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222957 TCAT-AS-000550 SV-222957r615938_rule Low
Description
Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-12-27

Details

Check Text ( C-24629r426315_chk )
From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.

If any connector elements contain xpoweredBy="true", this is a finding.
Fix Text (F-24618r426316_fix)
From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload