You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Robert Hicks <ro...@gmail.com> on 2021/05/06 13:09:37 UTC

Tomcat (catalina.jar) Security Question

We are getting evaluated and one of the items that I need to do is change
the "ServerInfo.properties" in the catalina.jar to set "server.info" and
"server.version" to nonsense (really).

I have the following Valve setup as well:

<Valve className="org.apache.catalina.valves.ErrorReportValve"
                    showReport="false"
                    showServerInfo="false" />

At what point would the "ServerInfo.properties" actually show a version and
server name to an end user?

I am just wondering if mucking with the jar every release is a worthwhile
thing and what security implications (if any) are involved.

Thanks,

Bob

Re: Tomcat (catalina.jar) Security Question

Posted by Mark Thomas <ma...@apache.org>.

On 06/05/2021 14:09, Robert Hicks wrote:
> We are getting evaluated and one of the items that I need to do is change
> the "ServerInfo.properties" in the catalina.jar to set "server.info" and
> "server.version" to nonsense (really).
> 
> I have the following Valve setup as well:
> 
> <Valve className="org.apache.catalina.valves.ErrorReportValve"
>                      showReport="false"
>                      showServerInfo="false" />
> 
> At what point would the "ServerInfo.properties" actually show a version and
> server name to an end user?
> 
> I am just wondering if mucking with the jar every release is a worthwhile
> thing and what security implications (if any) are involved.

No need to edit the JAR. Extract ServerInfo.properties to 
$CATALINA_BASE/lib/org/apache/catalina/util and edit the extracted file. 
It will be used in preference to the one in the JAR.

ServerInfo is exposed via ServletContext.getServerInfo() so it is 
possible that an application will expose it.

The DefaultServlet will show it by default if listings are enabled (can 
be disabled).

The ErrorReportValve will show it by default on error pages (can be 
disabled).

The security argument goes something like:
"If you expose the software name and version number it makes it easier 
for an attacker to identify known vulnerabilities for that version and 
target your server"

My personal counter argument goes something like:
"Whether you expose the version number or not, if you run a version with 
a known vulnerability that your are affected by then you are vulnerable. 
Rather than waste time hiding the version number which is simply 
security by obscurity - ie no security at all, spend that time doing 
something useful like upgrading the server so you are no longer exposed 
to the vulnerability."

HTH,

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org