Vulnerability ---Remote Web Server Apache Tomcat Contains Default Files

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Vulnerability ---Remote Web Server Apache Tomcat Contains Default Files

Reddy, Tippana Krishnanandan
Hi All,

We are using Tomcat version 8.5.31 we have observed below vulnerability

Title: Remote Web Server Apache Tomcat Contains Default Files

Issue: The default error page, default index page, example JSPs, /example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself or they may themselves contain vulnerabilities such as
cross-site scripting issues.

Please let us know how to fix this Vulnerability.


Thanks in Advance

Regards,
Krishna


This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you should delete this message and any disclosure, copying, or distribution of this message, or the taking of any action based on it, by you is strictly prohibited.

Deloitte refers to a Deloitte member firm, one of its related entities, or Deloitte Touche Tohmatsu Limited ("DTTL"). Each Deloitte member firm is a separate legal entity and a member of DTTL. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

v.E.1
Reply | Threaded
Open this post in threaded view
|

Re: Vulnerability ---Remote Web Server Apache Tomcat Contains Default Files

markt
On 22/05/2020 10:06, Reddy, Tippana Krishnanandan wrote:

> Hi All,
>
> We are using Tomcat version 8.5.31 we have observed below vulnerability
>
> Title: Remote Web Server Apache Tomcat Contains Default Files
>
> Issue: The default error page, default index page, example JSPs, /example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself or they may themselves contain vulnerabilities such as
> cross-site scripting issues.
>
> Please let us know how to fix this Vulnerability.

http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

In particular:

http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Default_web_applications

and

http://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Valves


You should also review https://tomcat.apache.org/security-8.html


In Tomcat 9 onwards there is the option to configure a static file as
the default error page.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]