STIGQter: STIG Summary: ISEC7 Sphere Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

The version number of Apache Tomcat must be removed from the CATALINA_HOME/lib/catalina.jar file.

DISA Rule

SV-224787r505933_rule

Vulnerability Number

V-224787

Group Title

SRG-APP-000383

Rule Version

ISEC-06-551100

Severity

CAT II

CCI(s)

• CCI-001762 - The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.

Weight

10

Fix Recommendation

Remove the version string from HTTP error pages by unpacking ServerInfo.properties from CATALINA_HOME\lib\catalina.jar and updating the server version information:

Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties
Open ‘ServerInfo.properties’ with WordPad.
Edit the server version information and save.
…
server.info=Apache Tomcat
server.number=
server.built=

Save file, rename to catalina.jar, and copy back to directory, replacing existing file.

Check Contents

Verify the version number of Apache Tomcat has been removed from the CATALINA_HOME/lib/catalina.jar file.

Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties
Open ‘ServerInfo.properties’ with WordPad.
Confirm the server version information has been removed.
…
server.info=Apache Tomcat
server.number=
server.built=

If the version number of Apache Tomcat has not been removed from the CATALINA_HOME/lib/catalina.jar file, this is a finding.

Vulnerability Number

V-224787

Documentable

False

Rule Version

ISEC-06-551100

Severity Override Guidance

Verify the version number of Apache Tomcat has been removed from the CATALINA_HOME/lib/catalina.jar file.

Open a CMD prompt.
cd <Drive>:\Program Files\ISEC7 EMM Suite\Tomcat\lib
Copy to desktop and rename catalina.jar to catalina.zip
Open catalina.zip and drill down to org/apache/catalina/util/ServerInfo.properties
Open ‘ServerInfo.properties’ with WordPad.
Confirm the server version information has been removed.
…
server.info=Apache Tomcat
server.number=
server.built=

If the version number of Apache Tomcat has not been removed from the CATALINA_HOME/lib/catalina.jar file, this is a finding.

Check Content Reference

M

Target Key

4200

Comments