STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat server version must not be sent with warnings and errors.

DISA Rule

SV-222978r615938_rule

Vulnerability Number

V-222978

Group Title

SRG-APP-000267-AS-000170

Rule Version

TCAT-AS-000950

Severity

CAT III

CCI(s)

• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.

Weight

10

Fix Recommendation

From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:

sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Edit the ServerInfo.properties file.
sudo nano org/apache/catalina/util/ServerInfo.properties

Change server.info and server.number to read:
server.info=<Enter Some Random Name or Value>
server.number=<Enter Some Random number>

EXAMPLE:
server.info="Standard Server"
server.number=1.0.2.11

Save the ServerInfo.properties file.

Run the following command to update the catalina.jar file:
sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo rm -rf $CATALINA_HOME/lib/org

Check Contents

From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:
Server version:
Server built:
Server number:

EXAMPLE:
Server version: Apache Tomcat
Server built: July 4 2019 14:20:06 UTC
Server number: 9.0.22.0

If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog".

If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.

Vulnerability Number

V-222978

Documentable

False

Rule Version

TCAT-AS-000950

Severity Override Guidance

From the Tomcat server, cd to the $CATALINA_HOME/bin folder. Run the version.sh command and identify the following information that is provided:
Server version:
Server built:
Server number:

EXAMPLE:
Server version: Apache Tomcat
Server built: July 4 2019 14:20:06 UTC
Server number: 9.0.22.0

If additional version information is required, refer to the Apache Tomcat version 9 change log on the Apache Tomcat website for historical version information. Google "Apache Tomcat 9 changelog".

If server.info="Apache Tomcat" or server.number=the valid Tomcat version, this is a finding.

Check Content Reference

M

Target Key

4094

Comments