Hide Tomcat version on error pages

Asked

Viewed 435 times

2

I have a API Rest running on a server Tomcat. If I try to directly access the API and some error happens to the error page of Tomcat is displayed:

inserir a descrição da imagem aqui Notice that at the end is the following passage: Apache Tomcat/8.0.30.

Given the situation I have some questions:

  • It would be a security breach to leave the version exposed in this way?
  • How do I hide this version in Windows?

1 answer

4


In itself, it’s not a security breach, but it’s still a good idea to hide that information. Because if in the future vulnerabilities are discovered in this particular version, and your service is not upgraded to a safer version of Tomcat (which ideally should not occur, but in practice can, for various reasons), then "announce to the world" that you are running a vulnerable service would facilitate the work of any attackers targeting your server.

To hide this information, one can follow the procedure described on that page or alternatively the one described on the OWASP website (includes other suggestions to keep your instance safe, worth reading):

  1. Find the file catalina.jar (is inside the folder specified as CATALINA_HOME, in the sub-folder server\lib) and extract from it the file

    org/apache/catalina/util/ServerInfo.properties
    
  2. Update this file by replacing (or adding) the server.info with some string of your choice. Example:

    server.info=Apache Tomcat
    
  3. Of the two:

    • Put the updated file back in the jar (it might break some applications, like Lambda Probe); or:
    • Create the folder structure lib\org\apache\catalina\util inside CATALINA_HOME and place the modified version of ServerInfo.properties there.
  4. Restart the Tomcat.

This should cause the error messages to display the string you chose (in the above example, Apache Tomcat) instead of the version number.

  • Outstanding!!!!!!

  • Many thanks @mgibsonbr worked perfectly.

  • Excellent!!! I made it here and it worked great!! Thanks!! Regina Deboni

Browser other questions tagged

You are not signed in. Login or sign up in order to post.