STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Default error pages for manager application must be customized.

DISA Rule

SV-222976r615938_rule

Vulnerability Number

V-222976

Group Title

SRG-APP-000267-AS-000170

Rule Version

TCAT-AS-000930

Severity

CAT III

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user:

sudo cd $CATALINA_BASE/webapps/manager/WEB-INF/jsp/

Use a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove account information and make the files reflect generic error information that assists users but does not provide sample data to users.

Save the file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/webapps/manager/WEB-INF/jsp/401.jsp

Repeat for the 402.jsp and 403.jsp files.

The default error files contain sample passwords and user accounts.

If the error files contained in this folder are not customized and sample information removed, this is a finding.

Vulnerability Number

V-222976

Documentable

False

Rule Version

TCAT-AS-000930

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/webapps/manager/WEB-INF/jsp/401.jsp

Repeat for the 402.jsp and 403.jsp files.

The default error files contain sample passwords and user accounts.

If the error files contained in this folder are not customized and sample information removed, this is a finding.

Check Content Reference

M

Target Key

4094

Comments