Hi Chuck, We are using tomcat version 9.87 can you guide on the same.
Thanks & Regards, Pramod Kumar Adhi From: Chuck Caldarale <n82...@gmail.com> Sent: Tuesday, July 9, 2024 12:31 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Apache Tomcat Default Files - TEN-12085 [External Email] > On Jul 8, 2024, at 13:56, Pramod Kumar Adhi > <pramodkumar.a...@servicenow.com.INVALID<mailto:pramodkumar.a...@servicenow.com.INVALID>> > wrote: > > We have one vulnerability related to the TEN-12085.Could you please advise on > the below on how can we remediate this vulnerability. > > Vulnerability Description > > The server is not configured to return a custom page in the event of a client > requesting a non-existent resource. > This may result in a potential disclosure of sensitive information about the > server to attackers. > > Vulnerability Summary > > The default error page, default index page, example JSPs and/or example > servlets are installed on the remote Apache Tomcat server. These files should > be removed as they may help an attacker uncover information about the remote > Tomcat install or host itself. > > Vulnerability Threat > The remote web server contains default files. > Vulnerability Remediation notes > Delete the default index page and remove the example JSP and servlets. Follow > the Tomcat or OWASP instructions to replace or modify the default error page. The above is fairly explicit about what to do to resolve this so-called “vulnerability”. Just follow the instructions that the test gave you. For an even more explicit description, read this (which you should have already done): https://tomcat.apache.org/tomcat-10.1-doc/security-howto.html<https://tomcat.apache.org/tomcat-10.1-doc/security-howto.html> - Chuck
