Details

The DefaultServlet serves static resources as well as serves the directory listings (if directory listings are enabled). It is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the ‘debug’ parameter set to 0, which is disabled. Changing this to a value of 1 or higher sets the servlet to print debug level information. DefaultServlet debug setting must be set to 0 (disabled).

Solution

From the Tomcat server as a privileged user:

Edit the $CATALINA_BASE/conf/web.xml file.

Examine the elements within the element, if the ‘debug’element is not ‘0” change the ‘debug’ to read ‘0’.

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R3_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.

References

• 800-53|CM-7a.
• CAT|III
• CCI|CCI-000381
• Rule-ID|SV-222953r615938_rule
• STIG-ID|TCAT-AS-000510
• STIG-Legacy|SV-111431
• STIG-Legacy|V-102489
• Vuln-ID|V-222953

Source

• Tenable.com/audits