On 11/04/2024 15:49, Bill Stewart wrote:
On Wed, Apr 10, 2024 at 2:14 PM Mark Thomas wrote:
... and it might represent an information leakage vulnerability in your
application. Be Careful.
Shall we start the flame war now on whether exposing the current version
you are running represents a valid vulnerability or if hiding it is
just security by obscurity? Or do you want to save it for Bratislava?
:)
More seriously, your time is likely to be better spent (in my view)
keeping your Tomcat installations up to date with the latest releases
than it is ensuring that you hide the version number.
The amusing thing (or irritating thing, depending on your point of view) is
when a large organization uses a vulnerability scanner and a Tomcat
instance gets flagged as a security risk because it reveals its version
number in the 404 error page. (Yes, this is a real scenario.)
At least it is an easy fix: showServerInfo="false"
assuming that is going to be easier than convincing folks that exposing
the version number isn't an issue.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
