search cancel

'TCAT-AS-000950 - Tomcat server version must not be sent with warnings and errors.' (Vuln ID: V-222978)

book

Article ID: 224409

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts.

Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.

 

Environment

Release : 21.2

 

Resolution

This has been resolved in DX NetOps Spectrum 21.2.8 onwards.

Meanwhile, the following steps can be done manually to mitigate:

From the Tomcat server, cd to the $CATALINA_HOME/lib folder. As a privileged user run the following case sensitive command:

sudo jar -xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Edit the ServerInfo.properties file.
sudo nano org/apache/catalina/util/ServerInfo.properties

Change server.info and server.number to read:
server.info=<Enter Some Random Name or Value>
server.number=<Enter Some Random number>

EXAMPLE:
server.info=""Standard Server""
server.number=1.0.2.11

Save the ServerInfo.properties file.

Run the following command to update the catalina.jar file:
sudo jar -uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo rm -rf $CATALINA_HOME/lib/org"

 

On Windows we suggest using 7-Zip to do the above.

1. Stop Tomcat Service

2. Open the above JAR file.

3. Navigate to org/apache/catalina/util/

4. Edit ServerInfo.properties file - make values anything

5. Save file.

6. Click "yes" to update the JAR when prompted by 7-Zip.

7. Start Tomcat

 

Attachments