Details

The HTTP TRACE verb provides debugging and diagnostics information for a given request.

Rationale:

Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from accepting a TRACE request:
Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false.

Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml.

Default Value:

Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7
• CSCv7|13.2

Source

• Tenable.com/audits