tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berneburg, Cris J. - US" <>
Subject RE: tomcat 6 vulnerability scan default error page help
Date Mon, 07 May 2018 15:12:03 GMT

Thanks for taking the time to help.  Again, I appreciate it.

cjb> We are getting dinged by a vulnerability scan for the default
cjb> not-found error page being returned by Tomcat for a Status 404.
cjb> [...]
cjb> And we're using Tomcat 6.0.37 (ahem).

MT> And you are worried about returning the version number? Have you
MT> seen how many real security issues (as opposed to this version
MT> number non-issue) there are in 6.0.37? I can't help but think
MT> your priorities are all wrong.

While I agree that we need to upgrade Tomcat, and it is long overdue, I disagree that my priorities
are *all* wrong. (tongue-in-cheek)  The compliance deadline looms a bit close to allow time
for staging and regression testing. (panicked)

Ironically, the scan said nothing about the Tomcat version itself:

"The remote web server contains default files.  The default error page, default index page,
example JSPs, and/or example servlets are installed on the remote Apache Tomcat server. These
files should be removed as they may help an attacker uncover information about the remote
Tomcat install or host itself.  Delete the default index page and remove the example JSP and
servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page."

Cris Berneburg
CACI Lead Software Engineer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message