Penetration testing has identified an issues. This one is for "Default Error Pages Present - Endevor Webservices". Error pages were returned by the server that are default for the Apache Tomcat technology in use. This could provide an attacker with information about the specific technology versions in use on the target system aiding further attacks to be devised. Such error pages enabled the version of web server to be enumerated through their content.

Release : 18.0

Component : CA Endevor Software Change Manager

Default Tomcat behavior. 

In server.xml, add this line:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" />

This will globally suppress the Tomcat version and error report, and just show the error code, in webapps not using custom error pages.

Upgrade to latest maintenance: SO09627