STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

ErrorReportValve showServerInfo must be set to false.

DISA Rule

SV-222975r615938_rule

Vulnerability Number

V-222975

Group Title

SRG-APP-000266-AS-000169

Rule Version

TCAT-AS-000920

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server:

Edit the $CATALINA_BASE/conf/server.xml file.

Create or modify an ErrorReportValve <Valve> element nested beneath each <Host> element.

EXAMPLE:
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="false">
...
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showServerInfo="false" />
...
</Host>

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

As an elevated user on the Tomcat server run the following command:

sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file.

If the ErrorReportValve element is not defined and showServerInfo set to "false", this is a finding.

EXAMPLE:
<Host ...>
...
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
...
</Host>

Vulnerability Number

V-222975

Documentable

False

Rule Version

TCAT-AS-000920

Severity Override Guidance

As an elevated user on the Tomcat server run the following command:

sudo grep -i ErrorReportValve $CATALINA_BASE/conf/server.xml file.

If the ErrorReportValve element is not defined and showServerInfo set to "false", this is a finding.

EXAMPLE:
<Host ...>
...
<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false"/>
...
</Host>

Check Content Reference

M

Target Key

4094

Comments