Apache Tomcat Security

Coding

Middleware

Apache Tomcat

Remove Version Number from Error Pages

Remove HTTP Access to Release Notes

Replace favicon.ico

Bibliography

Tomcat SSL

Tomcat 9 Vulnerabilities

Remove Version Number from Error Pages

Assumes a JDK is in your PATHNote that making this change may prevent Lambda/Psi Probe (popular Tomcat monitoring webapp) to initialise as it cannot determine the Tomcat version.

cd /tomcat/latest/lib

jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

vi org/apache/catalina/util/ServerInfo.properties # (server.info=Apache Tomcat)

jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

rm -r org

Restart Apache Tomcat...

systemctl restart tomcat

Remove HTTP Access to Release Notes

By default, this URL will work from any browser on the network (firewall rules permitting)...

http://mytomcatserver:8080/RELEASE-NOTES.txt

This document will generally reveal the version number of Tomcat.

To address this, simply remove the RELEASE-NOTES.txt file from production Tomcat servers...

rm /tomcat/latest/webapps/ROOT/RELEASE-NOTES.txt

Tomcat HTTP

Replace favicon.ico

Default favicon.ico files can be flagged during penetration test because they identify the software in use. To avoid this situation follow the notes below.

Identify a suitable replacement favicon.ico. Either use one of the many online favicon.ico designer tools or find a nondescript one from another server.

To replace the Tomcat favicon.ico:

cd /tomcat/latest/webapps/ROOT

cp favicon.ico favicon.icoO # Backup existing favicon

Replace favicon.ico with your alternate icon.

Bibliography

https://wiki.owasp.org/index.php/Securing_tomcathttp://www.lambdaprobe.org/https://github.com/psi-probe/psi-probe/wiki/Troubleshooting#error-on-first-requesthttps://people.apache.org/~mturk/docs/article/ftwai.html (Fronting Tomcat)https://tomcat.apache.org/security-9.html