The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.
An XCCDF Rule
Description
<VulnDiscussion>If the version number of Apache Tomcat were visible to an intruder, they could use that information to search for known vulnerabilities of the app. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-106393r1_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information:
Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties