Stack tracing must be disabled in Apache Tomcat.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
medium	V-224788	SRG-APP-000383	ISEC-06-551200	SV-224788r1013873_rule	2024-08-20	3

Description
The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.

Description

The default error page shows a full stack trace, which is a disclosure of sensitive information. Removal of unneeded or nonsecure functions, ports, protocols, and services mitigate the risk of unauthorized connection of devices, unauthorized transfer of information, or other exploitation of these resources. The organization must perform a periodic scan/review of the application (as required by CCI-000384) and disable functions, ports, protocols, and services deemed to be unneeded or nonsecure.

ℹ️ Check
Verify stack tracing has been disabled in Apache Tomcat. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Confirm there are no comment tags <!--" and "--> and the following exists without comment tags: <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> If stack tracing has not been disabled in Apache Tomcat, this is a finding.

ℹ️ Check

Verify stack tracing has been disabled in Apache Tomcat. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Confirm there are no comment tags  and the following exists without comment tags: <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> If stack tracing has not been disabled in Apache Tomcat, this is a finding.

✔️ Fix
Remove the default error page by updating the web application web.xml file. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Remove the comment tags <!--" and "-->. <!-- <error-page> <exception-type>java.lang.Exception</exception-type> <location>/exception.jsp</location> </error-page> --> Save the changes. This will acknowledge to the user that an exception occurred without showing any trace or source information.

✔️ Fix

Remove the default error page by updating the web application web.xml file. Navigate to the ISEC7 SPHERE installation directory: <Drive>:\Program Files\ISEC7 SPHERE\web\WEB-INF. Open web.xml with Notepad.exe. Scroll to the end of the file. Remove the comment tags .  Save the changes. This will acknowledge to the user that an exception occurred without showing any trace or source information.