2.3 Alter the Advertised server.built Date

Information

The server.built date represents the date which Tomcat was compiled and packaged. This value is presented to Tomcat clients when clients connect to the server.

Rationale:

Altering the server.built string may make it harder for attackers to fingerprint which vulnerabilities affect the server platform.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to alter the server version string that gets displayed when clients connect to the server.

Extract the ServerInfo.properties file from the catalina.jar file:

$ cd $CATALINA_HOME/lib
$ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Navigate to the util directory that was created

$ cd org/apache/Catalina/util

Open ServerInfo.properties in an editor

Update the server.built attribute in the ServerInfo.properties file.

server.built=

Update the catalina.jar with the modified ServerInfo.properties file.

$ jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Default Value:

The default value for the server.built attribute is build date and time. For example, Jul 8 2008 11:40:35.

See Also

https://workbench.cisecurity.org/files/2509

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30(5), CSCv7|13.2

Plugin: Unix

Control ID: c9161448395e22c71abb854df4ffe816c21fbf75c41054304a0097a7873c18c1