TCAT-AS-000570 - Tomcat default ROOT web application must be removed.

Information

The default ROOT web application includes the version of Tomcat that is being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible Tomcat instance and a more appropriate default page shown to users. It is acceptable to replace the contents of default ROOT with a new default web application.

WARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

WARNING: Removing the ROOT folder without replacing the content with valid web based content will result in an error page being displayed to the browser when the browser lands on the default page.

From the Tomcat server OS:

Either remove the files contained in $CATALINA_BASE/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|III, CCI|CCI-000381, Rule-ID|SV-222959r615938_rule, STIG-ID|TCAT-AS-000570, STIG-Legacy|SV-111443, STIG-Legacy|V-102501, Vuln-ID|V-222959

Plugin: Unix

Control ID: 824ae2870126b17ac6e362c6e7640f6f7fbe98a7081083695318bbb78087b827