search cancel

Vulnerability: Tomcat 404 Page Shows Version


Article ID: 38048


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)



There is a Tomcat vulnerability where the 404 page displays the current Tomcat version. This information can be subject to a banner grab attack. Follow the steps below to prevent the Tomcat version from being displayed.




Part 1- Edit the Tomcat server.xml 

1- Stop Tomcat

2- Browse to the Tomcat conf directory. 

3- Make a copy of server.xml and send it to the desktop as a back up 

4- Open server.xml in the conf directory for editing. 

5- Scroll the the section regarding connectors (either 8080 or 8443, depending on your configuration) and add the line below. The value in the quotes can be anything as long as it is not blank. 


6- Save and close the file. 


Part 2- Edit 

1- Browse to the Tomcat lib directory. 

2- Copy catalina.jar to the desktop to back it up.

3- Open the archive with 7zip or a similar program.

4- Drag org\apache\catalina\util\ to the Desktop 

5- Open the file for editing.

6- Comment out the lines referencing and server.number, then add the lines below. The value can be anything, as long as it isn't empty. 


7- Save and close the file, then drag the file back into the archive so it overwrites the current file.

8- Start Tomcat


Additional Information:

This doc addresses NESSUS vulnerabilities 88099 and 88490. For more information regarding the NESSUS vulnerabilities, please see the links below.


Release: ACP1M005900-12.9-Privileged Identity Manager