You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by FANG YAP <fa...@gmail.com> on 2020/06/03 02:52:25 UTC
Re: Vulnerability flagged in Nessus Scan
Resend
On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
> Hi Tomcat,
>
> Nessus scanned and found issue in Apache Tomcat Port 8080
>
> Port: 8080
> Plugin Text:
> The server is not configured to return a custom page in the event of a
> client requesting a non-existent resource. This may result in a potential
> disclosure of sensitive information about the server to attacker.
>
> Apache Tomcat Version: 8.5.43
> JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251)
>
> Your assistance would be greatly appreciated
>
> Rgs,
> Fang
>
Re: Vulnerability flagged in Nessus Scan
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Fang,
Your application's web.xml will only provide error messages for errors
which occur when a request has been issued to your application (e.g.
/myapp/doesnotexist -> 404 -> your 404 page). But if you request
something outside your web application or make an invalid request, you
won't get your application's configured error pages (e.g.
/unknownapp/doesnotexist -> 404 -> Tomcat's default error page; e.g.
/foo HTTP/7.5 -> 400 Bad Request, not app's error page).
So it's always a good idea to completely lock things down, and not
just in your own application.
- -chris
On 6/7/20 21:02, FANG YAP wrote:
> Hello Martin and John,
>
> Any update on this?
>
> Regards with Thanks,
>
> Fang
>
> On Thu, 4 Jun 2020, 09:48 FANG YAP, <fa...@gmail.com> wrote:
>
>> Hi Martin,
>>
>> Thank you for your email.
>>
>> In my application's web.xml, there is already a default
>> <error-page> error-code that defines 404 (../error_404.jsp), 403
>> (../error_403.jsp), 500 (../error_500.jsp) and
>> java.lang.Throwable (.. /system Error.jsp)
>>
>> where as the tomcat web.xml defines the previous error page on
>> exception.
>>
>> Do I have to declare the same error code in the application's
>> web.xml in the tomcat web.xml?
>>
>> Hi John,
>>
>> Thank you for your reply.
>>
>> In the tomcat server.xml, there is already a Valve tag like
>> <Valve className="org.apache.catalina.AccessLogValve" pattern=...
>> /> under <Host name="local"... >
>>
>> For your resolution is to include another valve tag below the
>> access log valve?
>>
>> Regards with Thanks,
>>
>> Fang
>>
>> On Thu, 4 Jun 2020, 06:03 John Palmer, <jo...@gmail.com>
>> wrote:
>>
>>> As the concern is that an erro page will show the tomcat
>>> version/patch info AND a stacktrace,\ I found the
>>> easier/better? solution to be adding ..... showReport="false"
>>> showServerInfo="false" to the Error Report Valve section at the
>>> bottom of server.xml (and addin or or uncommenting that valve
>>> section...):
>>>
>>> <Valve className="org.apache.catlina.valves.ErrorReportValve"
>>> showReport="false" showServerInfo="false" />
>>>
>>> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov
>>> <mg...@apache.org> wrote:
>>>
>>>> On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fa...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Martin,
>>>>>
>>>>> It is to say that I have to declare something like this in
>>>>> web.xml
>>> file?
>>>>>
>>>>> <error-page>
>>>>> <exception-type>java.lang.Exception</exception-type>
>>>>> <location>/error.jsp</location>
>>>>>
>>>>
>>>> Better use the error-code ones from the StackOverflow link I
>>>> gave you. Your approach will cover only error code 500 (for
>>>> Exceptions, but not
>>> for
>>>> java.lang.Error) and won't cover NotFound (404) and the
>>>> others. I guess Nessus won't be totally happy with your
>>>> approach.
>>>>
>>>>
>>>>>
>>>>> Regards with Thanks,
>>>>>
>>>>> Fang
>>>>>
>>>>> On Wed, 3 Jun 2020, 15:56 Martin Grigorov,
>>>>> <mg...@apache.org>
>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> On Wed, Jun 3, 2020 at 5:53 AM FANG YAP
>>>>>> <fa...@gmail.com> wrote:
>>>>>>
>>>>>>> Resend
>>>>>>>
>>>>>>> On Wed, 3 Jun 2020, 10:10 FANG YAP,
>>>>>>> <fa...@gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi Tomcat,
>>>>>>>>
>>>>>>>> Nessus scanned and found issue in Apache Tomcat Port
>>>>>>>> 8080
>>>>>>>>
>>>>>>>> Port: 8080 Plugin Text: The server is not configured
>>>>>>>> to return a custom page in the
>>> event
>>>> of
>>>>> a
>>>>>>>> client requesting a non-existent resource. This may
>>>>>>>> result in a
>>>>>> potential
>>>>>>>> disclosure of sensitive information about the server
>>>>>>>> to
>>> attacker.
>>>>>>>>
>>>>>>>> Apache Tomcat Version: 8.5.43 JDK 8: 1.8.0_212 (Will
>>>>>>>> be upgrading to latest soon to latest
>>>>> 1.8.0_251)
>>>>>>>
>>>>>>
>>>>>> To configure custom error pages and thus to suppress this
>>>>>> issue you
>>>> can:
>>>>>> 1) use ErrorReportValve <
>>>>>>
>>>>>
>>>>
>>> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Rep
ort_Valve
>>>>>>>
>>>>>>
>>>>>>
>>>
2) configure error-page elements in your application web.xml -
>>>>>> https://stackoverflow.com/a/7066536/497381
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>> Your assistance would be greatly appreciated
>>>>>>>>
>>>>>>>> Rgs, Fang
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7ek7UACgkQHPApP6U8
pFiuHg//bIqE+rA9bqZRu5enJL37YuOPmDc67KKPgw2rkjWNqkALBXWEvQWlIUVk
NDwTa/81u7kCPYKc8E5XT/dDV1yTsLP6i6IH8iit2FqYj9YBruy5j5sgnI7v1hQz
B2R5Bt34IwqE7V8FDBDIIbkTVbZC4rUBvMgW5QN5K58wtI7f+nzhjDHtddVys8fn
QVebK0Uu/hVzzHdtJ3Q1pU93yzW5fCijizwP3auJ8CfFmhmqNmMMgmdiD9oNgTs+
oIpJzrEeCvLIiCwy6hFATz7GHgrNutJpCYGcGlY0LJIE93dut2IhUQ6LgHi3qzGR
IuHwuAkVDJ+BiELxcJKKKIEH5jgIPDJUQcNcSeXY2f4g26grn7kvOgfg5jZjgh3h
XYO3R27wSlpytkWt9+6tmY2HCyNJM6CLy/cLyrrlCdmSq4JP53D574i5tweDGJVA
403haWYp1NRSJn44quklb04swbSseLluaYAkiiUDlWtnwUfGaYIANcYeMjc0txxd
Otnetzv/OcuiT9hIk4Vn39l+vDEm7eaAHFhUIhxsHzvvijlKmcJqOUby2y/fqB0n
kyG6Ik4W9a1+/BPBO9sIDotXC7DUmTD+AXr2nMK4ryWXcqQVJgFbPpY7C+LryDxk
sRV2ePxepptJduLiG3GmHDGOrO2Eba0cqh0p/sVDcWyRt+P6+TU=
=O3bx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Vulnerability flagged in Nessus Scan
Posted by FANG YAP <fa...@gmail.com>.
Hello Martin and John,
Any update on this?
Regards with Thanks,
Fang
On Thu, 4 Jun 2020, 09:48 FANG YAP, <fa...@gmail.com> wrote:
> Hi Martin,
>
> Thank you for your email.
>
> In my application's web.xml, there is already a default <error-page>
> error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500
> (../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp)
>
> where as the tomcat web.xml defines the previous error page on exception.
>
> Do I have to declare the same error code in the application's web.xml in
> the tomcat web.xml?
>
> Hi John,
>
> Thank you for your reply.
>
> In the tomcat server.xml, there is already a Valve tag like <Valve
> className="org.apache.catalina.AccessLogValve" pattern=... /> under <Host
> name="local"... >
>
> For your resolution is to include another valve tag below the access log
> valve?
>
> Regards with Thanks,
>
> Fang
>
> On Thu, 4 Jun 2020, 06:03 John Palmer, <jo...@gmail.com> wrote:
>
>> As the concern is that an erro page will show the tomcat version/patch
>> info
>> AND a stacktrace,\
>> I found the easier/better? solution to be adding ..... showReport="false"
>> showServerInfo="false"
>> to the Error Report Valve section at the bottom of server.xml (and addin
>> or
>> or uncommenting that valve section...):
>>
>> <Valve className="org.apache.catlina.valves.ErrorReportValve"
>> showReport="false" showServerInfo="false" />
>>
>> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov <mg...@apache.org>
>> wrote:
>>
>> > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fa...@gmail.com> wrote:
>> >
>> > > Hello Martin,
>> > >
>> > > It is to say that I have to declare something like this in web.xml
>> file?
>> > >
>> > > <error-page>
>> > > <exception-type>java.lang.Exception</exception-type>
>> > > <location>/error.jsp</location>
>> > >
>> >
>> > Better use the error-code ones from the StackOverflow link I gave you.
>> > Your approach will cover only error code 500 (for Exceptions, but not
>> for
>> > java.lang.Error) and won't cover NotFound (404) and the others.
>> > I guess Nessus won't be totally happy with your approach.
>> >
>> >
>> > >
>> > > Regards with Thanks,
>> > >
>> > > Fang
>> > >
>> > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mg...@apache.org>
>> wrote:
>> > >
>> > > > Hi,
>> > > >
>> > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
>> > > >
>> > > > > Resend
>> > > > >
>> > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
>> > > > >
>> > > > > > Hi Tomcat,
>> > > > > >
>> > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080
>> > > > > >
>> > > > > > Port: 8080
>> > > > > > Plugin Text:
>> > > > > > The server is not configured to return a custom page in the
>> event
>> > of
>> > > a
>> > > > > > client requesting a non-existent resource. This may result in a
>> > > > potential
>> > > > > > disclosure of sensitive information about the server to
>> attacker.
>> > > > > >
>> > > > > > Apache Tomcat Version: 8.5.43
>> > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
>> > > 1.8.0_251)
>> > > > >
>> > > >
>> > > > To configure custom error pages and thus to suppress this issue you
>> > can:
>> > > > 1) use ErrorReportValve
>> > > > <
>> > > >
>> > >
>> >
>> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
>> > > > >
>> > > >
>> > > > 2) configure error-page elements in your application web.xml -
>> > > > https://stackoverflow.com/a/7066536/497381
>> > > >
>> > > >
>> > > > > >
>> > > > > > Your assistance would be greatly appreciated
>> > > > > >
>> > > > > > Rgs,
>> > > > > > Fang
>> > > > > >
>> > > > >
>> > > >
>> > >
>> >
>>
>
Re: Vulnerability flagged in Nessus Scan
Posted by FANG YAP <fa...@gmail.com>.
Hi Martin,
Thank you for your email.
In my application's web.xml, there is already a default <error-page>
error-code that defines 404 (../error_404.jsp), 403 (../error_403.jsp), 500
(../error_500.jsp) and java.lang.Throwable (.. /system Error.jsp)
where as the tomcat web.xml defines the previous error page on exception.
Do I have to declare the same error code in the application's web.xml in
the tomcat web.xml?
Hi John,
Thank you for your reply.
In the tomcat server.xml, there is already a Valve tag like <Valve
className="org.apache.catalina.AccessLogValve" pattern=... /> under <Host
name="local"... >
For your resolution is to include another valve tag below the access log
valve?
Regards with Thanks,
Fang
On Thu, 4 Jun 2020, 06:03 John Palmer, <jo...@gmail.com> wrote:
> As the concern is that an erro page will show the tomcat version/patch info
> AND a stacktrace,\
> I found the easier/better? solution to be adding ..... showReport="false"
> showServerInfo="false"
> to the Error Report Valve section at the bottom of server.xml (and addin or
> or uncommenting that valve section...):
>
> <Valve className="org.apache.catlina.valves.ErrorReportValve"
> showReport="false" showServerInfo="false" />
>
> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov <mg...@apache.org>
> wrote:
>
> > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fa...@gmail.com> wrote:
> >
> > > Hello Martin,
> > >
> > > It is to say that I have to declare something like this in web.xml
> file?
> > >
> > > <error-page>
> > > <exception-type>java.lang.Exception</exception-type>
> > > <location>/error.jsp</location>
> > >
> >
> > Better use the error-code ones from the StackOverflow link I gave you.
> > Your approach will cover only error code 500 (for Exceptions, but not for
> > java.lang.Error) and won't cover NotFound (404) and the others.
> > I guess Nessus won't be totally happy with your approach.
> >
> >
> > >
> > > Regards with Thanks,
> > >
> > > Fang
> > >
> > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mg...@apache.org>
> wrote:
> > >
> > > > Hi,
> > > >
> > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
> > > >
> > > > > Resend
> > > > >
> > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
> > > > >
> > > > > > Hi Tomcat,
> > > > > >
> > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > > > >
> > > > > > Port: 8080
> > > > > > Plugin Text:
> > > > > > The server is not configured to return a custom page in the event
> > of
> > > a
> > > > > > client requesting a non-existent resource. This may result in a
> > > > potential
> > > > > > disclosure of sensitive information about the server to attacker.
> > > > > >
> > > > > > Apache Tomcat Version: 8.5.43
> > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> > > 1.8.0_251)
> > > > >
> > > >
> > > > To configure custom error pages and thus to suppress this issue you
> > can:
> > > > 1) use ErrorReportValve
> > > > <
> > > >
> > >
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > > > >
> > > >
> > > > 2) configure error-page elements in your application web.xml -
> > > > https://stackoverflow.com/a/7066536/497381
> > > >
> > > >
> > > > > >
> > > > > > Your assistance would be greatly appreciated
> > > > > >
> > > > > > Rgs,
> > > > > > Fang
> > > > > >
> > > > >
> > > >
> > >
> >
>
Re: Vulnerability flagged in Nessus Scan
Posted by John Palmer <jo...@gmail.com>.
As the concern is that an erro page will show the tomcat version/patch info
AND a stacktrace,\
I found the easier/better? solution to be adding ..... showReport="false"
showServerInfo="false"
to the Error Report Valve section at the bottom of server.xml (and addin or
or uncommenting that valve section...):
<Valve className="org.apache.catlina.valves.ErrorReportValve"
showReport="false" showServerInfo="false" />
On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov <mg...@apache.org> wrote:
> On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fa...@gmail.com> wrote:
>
> > Hello Martin,
> >
> > It is to say that I have to declare something like this in web.xml file?
> >
> > <error-page>
> > <exception-type>java.lang.Exception</exception-type>
> > <location>/error.jsp</location>
> >
>
> Better use the error-code ones from the StackOverflow link I gave you.
> Your approach will cover only error code 500 (for Exceptions, but not for
> java.lang.Error) and won't cover NotFound (404) and the others.
> I guess Nessus won't be totally happy with your approach.
>
>
> >
> > Regards with Thanks,
> >
> > Fang
> >
> > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mg...@apache.org> wrote:
> >
> > > Hi,
> > >
> > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
> > >
> > > > Resend
> > > >
> > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
> > > >
> > > > > Hi Tomcat,
> > > > >
> > > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > > >
> > > > > Port: 8080
> > > > > Plugin Text:
> > > > > The server is not configured to return a custom page in the event
> of
> > a
> > > > > client requesting a non-existent resource. This may result in a
> > > potential
> > > > > disclosure of sensitive information about the server to attacker.
> > > > >
> > > > > Apache Tomcat Version: 8.5.43
> > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> > 1.8.0_251)
> > > >
> > >
> > > To configure custom error pages and thus to suppress this issue you
> can:
> > > 1) use ErrorReportValve
> > > <
> > >
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > > >
> > >
> > > 2) configure error-page elements in your application web.xml -
> > > https://stackoverflow.com/a/7066536/497381
> > >
> > >
> > > > >
> > > > > Your assistance would be greatly appreciated
> > > > >
> > > > > Rgs,
> > > > > Fang
> > > > >
> > > >
> > >
> >
>
Re: Vulnerability flagged in Nessus Scan
Posted by Martin Grigorov <mg...@apache.org>.
On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fa...@gmail.com> wrote:
> Hello Martin,
>
> It is to say that I have to declare something like this in web.xml file?
>
> <error-page>
> <exception-type>java.lang.Exception</exception-type>
> <location>/error.jsp</location>
>
Better use the error-code ones from the StackOverflow link I gave you.
Your approach will cover only error code 500 (for Exceptions, but not for
java.lang.Error) and won't cover NotFound (404) and the others.
I guess Nessus won't be totally happy with your approach.
>
> Regards with Thanks,
>
> Fang
>
> On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mg...@apache.org> wrote:
>
> > Hi,
> >
> > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
> >
> > > Resend
> > >
> > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
> > >
> > > > Hi Tomcat,
> > > >
> > > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > > >
> > > > Port: 8080
> > > > Plugin Text:
> > > > The server is not configured to return a custom page in the event of
> a
> > > > client requesting a non-existent resource. This may result in a
> > potential
> > > > disclosure of sensitive information about the server to attacker.
> > > >
> > > > Apache Tomcat Version: 8.5.43
> > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest
> 1.8.0_251)
> > >
> >
> > To configure custom error pages and thus to suppress this issue you can:
> > 1) use ErrorReportValve
> > <
> >
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> > >
> >
> > 2) configure error-page elements in your application web.xml -
> > https://stackoverflow.com/a/7066536/497381
> >
> >
> > > >
> > > > Your assistance would be greatly appreciated
> > > >
> > > > Rgs,
> > > > Fang
> > > >
> > >
> >
>
Re: Vulnerability flagged in Nessus Scan
Posted by FANG YAP <fa...@gmail.com>.
Hello Martin,
It is to say that I have to declare something like this in web.xml file?
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error.jsp</location>
Regards with Thanks,
Fang
On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mg...@apache.org> wrote:
> Hi,
>
> On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
>
> > Resend
> >
> > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
> >
> > > Hi Tomcat,
> > >
> > > Nessus scanned and found issue in Apache Tomcat Port 8080
> > >
> > > Port: 8080
> > > Plugin Text:
> > > The server is not configured to return a custom page in the event of a
> > > client requesting a non-existent resource. This may result in a
> potential
> > > disclosure of sensitive information about the server to attacker.
> > >
> > > Apache Tomcat Version: 8.5.43
> > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251)
> >
>
> To configure custom error pages and thus to suppress this issue you can:
> 1) use ErrorReportValve
> <
> https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve
> >
>
> 2) configure error-page elements in your application web.xml -
> https://stackoverflow.com/a/7066536/497381
>
>
> > >
> > > Your assistance would be greatly appreciated
> > >
> > > Rgs,
> > > Fang
> > >
> >
>
Re: Vulnerability flagged in Nessus Scan
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fa...@gmail.com> wrote:
> Resend
>
> On Wed, 3 Jun 2020, 10:10 FANG YAP, <fa...@gmail.com> wrote:
>
> > Hi Tomcat,
> >
> > Nessus scanned and found issue in Apache Tomcat Port 8080
> >
> > Port: 8080
> > Plugin Text:
> > The server is not configured to return a custom page in the event of a
> > client requesting a non-existent resource. This may result in a potential
> > disclosure of sensitive information about the server to attacker.
> >
> > Apache Tomcat Version: 8.5.43
> > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest 1.8.0_251)
>
To configure custom error pages and thus to suppress this issue you can:
1) use ErrorReportValve
<https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve>
2) configure error-page elements in your application web.xml -
https://stackoverflow.com/a/7066536/497381
> >
> > Your assistance would be greatly appreciated
> >
> > Rgs,
> > Fang
> >
>