2.6 Turn off TRACE - check web.xml config files

Information

The HTTP TRACE verb provides debugging and diagnostics information for a given request.

Rationale:

Diagnostic information, such as that found in the response to a TRACE request, often contains sensitive information which may useful to an attacker. By preventing Tomcat from providing this information, the risk of leaking sensitive information to a potential attacker is reduced.

Solution

Perform the following to prevent Tomcat from accepting a TRACE request:
Set the allowTrace attribute for each Connector specified in $CATALINA_HOME/conf/server.xml to false.

<Connector ... allowTrace='false' />

Alternatively, ensure the allowTrace attribute is absent from each Connector specified in $CATALINA_HOME/conf/server.xml.

Default Value:

Tomcat does not allow the TRACE HTTP verb by default. Tomcat will only allow TRACE if the allowTrace attribute is present and set to true.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/http.html

https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|18.5, CSCv7|13.2

Plugin: Unix

Control ID: 02d1453b64fae99f094a84aef687c2aded3616dd778f9e6a177fd12d20928542