> On Jul 8, 2024, at 14:54, Pramod Kumar Adhi <[email protected]> > wrote: > > We are using tomcat version 9.87 can you guide on the same.
Seriously? You can’t find the 9.0.x documentation on the Tomcat web site yourself? Ok… https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html - Chuck > From: Chuck Caldarale <[email protected] <mailto:[email protected]>> > Sent: Tuesday, July 9, 2024 12:31 AM > To: Tomcat Users List <[email protected] > <mailto:[email protected]>> > Subject: Re: Apache Tomcat Default Files - TEN-12085 > > [External Email] > > > > On Jul 8, 2024, at 13:56, Pramod Kumar Adhi > > <[email protected] > > <mailto:[email protected]>> wrote: > > > > We have one vulnerability related to the TEN-12085.Could you please advise > > on the below on how can we remediate this vulnerability. > > > > Vulnerability Description > > > > The server is not configured to return a custom page in the event of a > > client requesting a non-existent resource. > > This may result in a potential disclosure of sensitive information about > > the server to attackers. > > > > Vulnerability Summary > > > > The default error page, default index page, example JSPs and/or example > > servlets are installed on the remote Apache Tomcat server. These files > > should be removed as they may help an attacker uncover information about > > the remote Tomcat install or host itself. > > > > Vulnerability Threat > > The remote web server contains default files. > > Vulnerability Remediation notes > > Delete the default index page and remove the example JSP and servlets. > > Follow the Tomcat or OWASP instructions to replace or modify the default > > error page. > > > The above is fairly explicit about what to do to resolve this so-called > “vulnerability”. Just follow the instructions that the test gave you. > > For an even more explicit description, read this (which you should have > already done): > > https://tomcat.apache.org/tomcat-10.1-doc/security-howto.html > > - Chuck >
