The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

An XCCDF Rule

Description

<VulnDiscussion>If the version number of Apache Tomcat were visible to an intruder, they could use that information to search for known vulnerabilities of the app. Removal of unneeded or non-secure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or non-secure.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-224787r505933_rule
Severity: Medium
References: CCI-001762
Updated: about 1 year ago

Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information: 

Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.propertiesOpen  ‘ServerInfo.properties’ with WordPad.
Edit the server version information and save.
…
server.info=Apache Tomcat
server.number=
server.built=

Save file, rename to catalina.jar, and copy back to directory, replacing existing file.

The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

Description

Remediation - Manual Procedure