Tomcat Vulnerabilities for default-first-page and example-leak

Document ID : KB000013333
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

When we perform vulnerability scans, our CABI/Tomcat server displays two vulnerabilities. How do we fix them?

 

1. Apache Tomcat default installation/welcome page installed  - apache-tomcat-default-install-page

2. Apache Tomcat Example Scripts Information Leakage - apache-tomcat-example-leaks

 
Answer:

1. Correcting this issue (showing the Tomcat home page) has multiple ways to correct this issue and vary depending on your environment's/security's requirements. The simplest solution would be to rename the index file inside the <Tomcat_directory>webapps/ROOT directory or you could rename the ROOT app to another folder name (or delete it if you don't want to manage tomcat with the tomcat manager app).

 

2. The example scripts found <Tomcat_directory>/examples/that come with Apache Tomcat can be leveraged by attackers to gain information about the system. To correct this, please remove the /examples/ directory as well as /tomcat-docs/appdev/sample/web/hello.jsp or just move them to a different location. Please see http-tomcat-0005 for more information.