The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

An XCCDF Rule

Description

If the version number of Apache Tomcat were visible to an intruder, they could use that information to search for known vulnerabilities of the app. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

ID: SV-106393r1_rule
Version: ISEC-06-551100
Severity: Medium
References: CCI-001762
Updated: 15 days ago

Remediation Templates

Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information: 

Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.propertiesOpen  ‘ServerInfo.properties’ with WordPad.
Edit the server version information and save.
…
server.info=Apache Tomcat
server.number=
server.built=

Save file, rename to catalina.jar, and copy back to directory, replacing existing file.

The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

Description

Remediation Templates

A Manual Procedure