'TCAT-AS-000940 - ErrorReportValve showReport must be set to false.' (Vuln ID: V-222977)

book

Article ID: 224576

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

The Error Report Valve is a simple error handler for HTTP status codes that will generate and return HTML error pages. It can also be configured to return pre-defined static HTML pages for specific status codes and/or exception types.

Disabling showReport will result in no error message or stack trace being send to the client. This setting can be tailored on a per-application basis within each application specific web.xml.

 

<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="true" showServerInfo="false"></Valve>

Environment

Release : 21.2

 

Resolution

This value can be changed to false without affecting DX Netops Spectrum in any way.

Edit the $SPECROOT/tomcat/conf/server.xml file to alter the setting.

A tomcat restart will be required for the change to take effect.

Broadcom will be including this out of the box in a future release.

Also - Spectrum already includes its own error pages.

<error-page xmlns="">
    <error-code>403</error-code>
    <location>/e403.jsp</location>
  </error-page>
  <error-page xmlns="">
    <error-code>401</error-code>
    <location>/e401.jsp</location>
  </error-page>
  <error-page xmlns="">
    <error-code>404</error-code>
    <location>/errorcode.jsp</location>
  </error-page>
  <error-page xmlns="">
    <error-code>408</error-code>
    <location>/e408.jsp</location>
  </error-page>
  <error-page xmlns="">
    <error-code>500</error-code>
    <location>/errorcode.jsp</location>
  </error-page>
  <error-page xmlns="">
    <error-code>400</error-code>
    <location>/console/bad-request.jsp</location>
  </error-page>