Details

Stack tracing provides debugging information from the application call stacks when a runtime error is encountered. If stack tracing is left enabled, Tomcat will provide this call stack information to the requestor which could result in the loss of sensitive information or data that could be used to compromise the system. As with all STIG settings, it is acceptable to temporarily enable for troubleshooting and debugging purposes but the setting must not be left enabled after troubleshooting tasks have been completed.

Solution

From the Tomcat server as a privileged user, edit the xml files containing the ‘allow Trace=true’ statement.

Remove the ‘allow Trace=true’ statement from the affected xml configuration files and restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7a.
• CAT|II
• CCI|CCI-000381
• Rule-ID|SV-222950r615938_rule
• STIG-ID|TCAT-AS-000470
• STIG-Legacy|SV-111425
• STIG-Legacy|V-102483
• Vuln-ID|V-222950

Source

• Tenable.com/audits