Default error pages for manager application must be customized.

An XCCDF Rule

Description

<VulnDiscussion>Default error pages that accompany the manager application provide educational information on how to configure user accounts and groups for accessing the manager application. These error pages provide responses to 401 (Unauthorized), 403 (Forbidden), and 404 (Not Found) JSP error codes and should not exist on production systems.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-222976r961170_rule
Severity: Low
References: CCI-001314
Updated: 17 days ago

From the Tomcat server as a privileged user:

sudo cd $CATALINA_BASE/webapps/manager/WEB-INF/jsp/

Use a file editor like nano or vi and edit the 401, 402, and 403 jsp files. Remove account information and make the files reflect generic error information that assists users but does not provide sample data to users.
Save the file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Default error pages for manager application must be customized.

Description

Remediation - Manual Procedure