2.5 Disable client facing Stack Traces - check for defined exception type

Information

When a runtime error occurs during request processing, Apache Tomcat will display debugging information to the requestor. It is recommended that such debug information be withheld from the requestor.

Rationale:

Debugging information, such as that found in call stacks, often contains sensitive information which may be useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from providing debug information to the requestor during runtime errors:

Create a web page that contains the logic or message you wish to invoke when encountering a runtime error. For example purposes, assume this page is located at /error.jsp.

Add a child element, <error-page>, to the <web-app> element, in the $CATALINA_HOME/conf/web.xml file.

Add a child element, <exception-type>, to the <error-page> element. Set the value of the <exception-type> element to java.lang.Throwable.

Add a child element <location> to the <error-page> element. Set the value of the <location> element to the location of page created in step 1.

The resulting entry will look as follows:

<error-page>
<span> <exception-type>java.lang.Throwable</exception-type>
<location>/error.jsp</location>
</error-page>

Default Value:

Tomcat's default configuration does not include an <error-page> element in $CATALINA_HOME/conf/web.xml. Therefore, Tomcat will provide debug information to the requestor by default.

References:

https://tomcat.apache.org/tomcat-8.0-doc/api/org/apache/tomcat/util/descriptor/web/ErrorPage.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv7|13.2

Plugin: Unix

Control ID: 987cf9ee566bc00d961d72cce2b5f859c7301c8b309e71db106485bd31ae2fc7