UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Stack tracing must be disabled in Apache Tomcat.


Overview

Finding ID Version Rule ID IA Controls Severity
V-224788 ISEC-06-551200 SV-224788r505933_rule Medium
Description
The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.
STIG Date
ISEC7 Sphere Security Technical Implementation Guide 2020-09-04

Details

Check Text ( C-26479r461620_chk )
Verify stack tracing has been disabled in Apache Tomcat.

Navigate to the ISEC7 EMM Suite installation directory: :\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Confirm there are no comment tags and the following exists without comment tags:


java.lang.Exception
/exception.jsp


If stack tracing has not been disabled in Apache Tomcat, this is a finding.
Fix Text (F-26467r461621_fix)
Remove the default error page by updating the web application web.xml file.

Navigate to the ISEC7 EMM Suite installation directory: :\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Remove the comment tags



Save the changes.

This will acknowledge to the user that an exception occurred without showing any trace or source information.