STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

xpoweredBy attribute must be disabled.

DISA Rule

SV-222957r615938_rule

Vulnerability Number

V-222957

Group Title

SRG-APP-000141-AS-000095

Rule Version

TCAT-AS-000550

Severity

CAT III

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each <Connector> </Connector> element, if the element contains xpoweredBy="true", modify the statement to read ", xpoweredBy="false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.

If any connector elements contain xpoweredBy="true", this is a finding.

Vulnerability Number

V-222957

Documentable

False

Rule Version

TCAT-AS-000550

Severity Override Guidance

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/server.xml |grep -i -C4 xpoweredby.

If any connector elements contain xpoweredBy="true", this is a finding.

Check Content Reference

Target Key

4094

xpoweredBy attribute must be disabled.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments