TCAT-AS-000550 - xpoweredBy attribute must be disabled.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Individual connectors can be configured to display the Tomcat server info to clients. This information can be used to identify Tomcat versions which can be useful to attackers for identifying vulnerable versions of Tomcat. Individual connectors must be checked for the xpoweredBy attribute to ensure they do not pass Tomcat server info to clients.

Solution

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

Examine each <Connector> </Connector> element, if the element contains xpoweredBy='true', modify the statement to read ', xpoweredBy='false'.

sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R6_STIG.zip

Item Details

References: CAT|III, CCI|CCI-000381, Rule-ID|SV-222957r879587_rule, STIG-ID|TCAT-AS-000550, STIG-Legacy|SV-111439, STIG-Legacy|V-102497, Vuln-ID|V-222957

Plugin: Unix

Control ID: c1e1c75b9fff9bdbd594d78c165cf44ac3992b2ec0210c3c96e883fe05bb6090