Details

When a runtime error occurs during request processing, Apache Tomcat will display debugging information to the requestor. It is recommended that such debug information be withheld from the requestor.

Rationale:

Debugging information, such as that found in call stacks, often contains sensitive information which may be useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors:

Create a web page that contains the logic or message you wish to invoke when encountering a runtime error. For example purposes, assume this page is located at /error.jsp.

Add a child element, , to the element, in the $CATALINA_HOME/conf/web.xml file.

Add a child element, , to the element. Set the value of the element to java.lang.Throwable.

Add a child element to the element. Set the value of the element to the location of page created in step 1.

The resulting entry will look as follows:

java.lang.Throwable
/error.jsp

Default Value:

Tomcat’s default configuration does not include an element in $CATALINA_HOME/conf/web.xml. Therefore, Tomcat will provide debug information to the requestor by default.

References:

https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/tomcat/util/descriptor/web/ErrorPage.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7
• CSCv7|13.2

Source

• Tenable.com/audits