'TCAT-AS-000950 - Tomcat server version must not be sent with warnings and errors.' (Vuln ID: V-222978)

book

Article ID: 224409

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

A first order of attack is to identify vulnerable servers and services. Removing version information that would otherwise be provided when a client requests version data or receives an error message can limit automated attack attempts.

Remove or replace the version string from HTTP error messages by repacking $CATALINA_HOME/server/lib/catalina.jar with an updated ServerInfo.properties file. This will modify the server information that is provided in error and warning responses.

 

Environment

Release : 21.2

 

Resolution

This cannot be done by the customer.

DX Netops Spectrum will resolve this finding in Netops 21.2.4+. 

Tentative GA date for 21.2.4 will be in October 2021.