search cancel

Default Error Pages Present - Endevor Webservices

book

Article ID: 134199

calendar_today

Updated On:

Products

Endevor Software Change Manager (SCM) Endevor Software Change Manager - Natural Integration (SCM) Endevor Software Change Manager - ECLIPSE Plugin (SCM) Endevor Software Change Manager - Enterprise Workbench (SCM)

Issue/Introduction

Penetration testing has identified an issues. This one is for "Default Error Pages Present - Endevor Webservices". Error pages were returned by the server that are default for the Apache Tomcat technology in use. This could provide an attacker with information about the specific technology versions in use on the target system aiding further attacks to be devised. Such error pages enabled the version of web server to be enumerated through their content.

Cause

Default Tomcat behavior. 

Environment

Release : 18.0

Component : CA Endevor Software Change Manager

Resolution

In server.xml, add this line:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

This will globally suppress the Tomcat version and error report, and just show the error code, in webapps not using custom error pages.

Upgrade to latest maintenance: SO09627