Details

Debugging information, such as that found in call stacks, often contains sensitive information that may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors:
1. Create a web page that contains the logic or message you wish to invoke when
encountering a runtime error. For example purposes, assume this page is located at
/error.jsp.
2. Add a child element, , to the element, in the
$CATALINA_HOME/conf/web.xml file.
3. Add a child element, , to the element. Set the value of
the element to java.lang.Throwable.
4. Add a child element, , to the element. Set the value of the
element to the location of page created in #1.
The resulting entry will look as follows:

java.lang.Throwable
/error.jsp

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/266

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.

References

• 800-53|SI-11b.

Source

• Tenable.com/audits