Stack tracing must be disabled in Apache Tomcat.

An XCCDF Rule

Description

The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.

ID: SV-106395r1_rule
Version: ISEC-06-551200
Severity: Medium
References: CCI-001762
Updated: 15 days ago

Remediation Templates

Remove the default error page by updating the web application web.xml file.

 Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Remove the comment tags <!--" and "-->
<!--   <error-page>
    <exception-type>java.lang.Exception</exception-type>
    <location>/exception.jsp</location>
  </error-page> -->

Save the changes.

This will acknowledge to the user that an exception occurred without showing any trace or source information.

Stack tracing must be disabled in Apache Tomcat.

Description

Remediation Templates

A Manual Procedure