search cancel

Apache Tomcat Default Files

book

Article ID: 253299

calendar_today

Updated On:

Products

Clarity PPM On Premise Clarity PPM SaaS

Issue/Introduction

Is Clarity & Jaspersoft Vulnerable to Apache Tomcat Default Files Vulnerability? 

Also can the below files be removed from Clarity & Jaspersoft Tomcat Folders? 

  • https://<server_name>/docs/
  • https://<server_name>/examples/servlets/index.html
  • https://<server_name>/examples/jsp/index.html
  • https://<server_name>/examples/websocket/index.html

Environment

Release : Any Supported release of Clarity & Jaspersoft 

Resolution

Clarity: 

Clarity is deployed as managed service so for an exploiter to hit the below mentioned URL is not possible, even though the base Tomcat folder will have docs & example folder. However as soon as clarity is started there is tomcat folder gets deployed under clarity folder as tomcat-nsa-deploy & tomcat-app-deploy and in those folders docs and example folders are not available. However those files can still be deleted from base Tomcat folder 

  • https://<server_name>/docs/
  • https://<server_name>/examples/servlets/index.html
  • https://<server_name>/examples/jsp/index.html
  • https://<server_name>/examples/websocket/index.html

Jaspersoft: 

In Jaspersoft by default the above mentioned URL can be exploited and its recomended to delete the docs & example folder under tomcat_home\webapps folder. In order to do that follow the below steps 

  • Stop the Jaspersoft service
  • Navigate to Tomcat_home\webapps 
  • Delete the tomcat_home\webapps\docs & tomcat_home\webapps\examples folder 
  • Start the Jaspersoft service