STIGQter: STIG Summary: Application Server Security Requirements Guide Version: 3 Release: 1 Benchmark Date: 23 Oct 2020:

The application server must only generate error messages that provide information necessary for corrective actions without revealing sensitive or potentially harmful information in error logs and administrative messages.

DISA Rule

SV-204774r508029_rule

Vulnerability Number

V-204774

Group Title

SRG-APP-000266

Rule Version

SRG-APP-000266-AS-000169

Severity

CAT II

CCI(s)

• CCI-001312 - The information system generates error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries.

Weight

10

Fix Recommendation

Configure the application server to not write sensitive information into the logs and administrative messages.

Check Contents

Review system documentation and logs to determine if the application server writes sensitive information such as passwords or private keys into the logs and administrative messages.

If the application server writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.

Vulnerability Number

V-204774

Documentable

False

Rule Version

SRG-APP-000266-AS-000169

Severity Override Guidance

Review system documentation and logs to determine if the application server writes sensitive information such as passwords or private keys into the logs and administrative messages.

If the application server writes sensitive or potentially harmful information into the logs and administrative messages, this is a finding.

Check Content Reference

M

Target Key

2900

Comments