2.5 Disable client facing Stack Traces

Information

When a runtime error occurs during request processing, Apache Tomcat will display debugging information to the requestor. It is recommended that such debug information be withheld from the requestor.

Debugging information, such as that found in call stacks, often contains sensitive information which may be useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors:

- Create a web page that contains the logic or message you wish to invoke when encountering a runtime error. For example purposes, assume this page is located at /error.jsp
- Add a child element, <error-page> to the <web-app> element, in the $CATALINA_HOME/conf/web.xml file.
- Add a child element, <exception-type> to the <error-page> element. Set the value of the <exception-type> element to java.lang.Throwable
- Add a child element <location> to the <error-page> element. Set the value of the <location> element to the location of page created in step 1.

The resulting entry will look as follows:

<error-page>
<exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>

See Also

https://workbench.cisecurity.org/benchmarks/15137

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|13.2

Plugin: Unix

Control ID: a0284c77f6c5fd41ceb263b22cea2f907bb29a9418831b46d08b82c582716b80