2.1 Alter the Advertised server.info String

Information

The server.info attribute contains the name of the application service. This value is presented to Tomcat clients when clients connect to the tomcat server.

Rationale:

Altering the server.info attribute may increase the complexity for attackers to determine which vulnerabilities affect the server platform.

Solution

Perform the following to alter the server platform string that gets displayed when clients connect to the tomcat server.

Extract the ServerInfo.properties file from the catalina.jar file:

$ cd $CATALINA_HOME/lib
$ jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

Navigate to the util directory that was created

cd org/apache/catalina/util

Open ServerInfo.properties in an editor

Update the server.info attribute in the ServerInfo.properties file.

server.info=<SomeWebServer>

Update the catalina.jar with the modified ServerInfo.properties file.

$ jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

Default Value:

The default value for the server.info attribute is Apache Tomcat/<version>. For example, Apache Tomcat/9.0.0.M9.

References:

https://www.owasp.org/index.php/Securing_tomcat

See Also

https://workbench.cisecurity.org/files/2509

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30(5), CSCv7|13.2

Plugin: Unix

Control ID: 9c2b6cfc11947619b20e9dc654749bdaa5b0b02d6d2ef4e6c03915e16d24a2ae