STIGQter STIGQter: STIG Summary: ISEC7 Sphere Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Oct 2020:

Stack tracing must be disabled in Apache Tomcat.

DISA Rule

SV-224788r505933_rule

Vulnerability Number

V-224788

Group Title

SRG-APP-000383

Rule Version

ISEC-06-551200

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove the default error page by updating the web application web.xml file.

Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Remove the comment tags <!--" and "-->

<!-- <error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/exception.jsp</location>
</error-page> -->

Save the changes.

This will acknowledge to the user that an exception occurred without showing any trace or source information.

Check Contents

Verify stack tracing has been disabled in Apache Tomcat.

Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Confirm there are no comment tags <!--" and "--> and the following exists without comment tags:

<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/exception.jsp</location>
</error-page>

If stack tracing has not been disabled in Apache Tomcat, this is a finding.

Vulnerability Number

V-224788

Documentable

False

Rule Version

ISEC-06-551200

Severity Override Guidance

Verify stack tracing has been disabled in Apache Tomcat.

Navigate to the ISEC7 EMM Suite installation directory: <Drive>:\Program Files\ISEC7 EMM Suite\web\WEB-INF
Open web.xml with Notepad.exe
Scroll to the end of the file.
Confirm there are no comment tags <!--" and "--> and the following exists without comment tags:

<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/exception.jsp</location>
</error-page>

If stack tracing has not been disabled in Apache Tomcat, this is a finding.

Check Content Reference

M

Target Key

4200

Comments