Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
8.21.1, 9.4.4
-
8.21
-
15
-
Severity 3 - Minor
-
13
-
Description
Problem Definition
When accessing URLs that aren't under the application context and are not defined in Tomcat, Tomcat returns a 404 along with its own version.
Steps to reproduce problem
- In a Jira instance with a context called jira for instance, browse http://<HOSTNAME>/non_existent_uri. Make sure you don't add the context to the URL. Otherwise, Jira will return the 404 page and not Tomcat.
- Tomcat discloses its own version.
Suggested Solution
404 should be displayed but Tomcat shouldn't disclose its own version
Workaround
Alter the behavior of the error reporting by adding the following entry to your server.xml file:
<Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/>
Make sure the valve is not added within the Jira context but rather at the higher hierarchy level. Example:
<Engine name="Catalina" defaultHost="localhost"> <Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true"> <Context path="j8201" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true"> <Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction" factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/> <Manager pathname=""/> <JarScanner scanManifest="false"/> <Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" /> </Context> <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/> </Host> <Valve className="org.apache.catalina.valves.AccessLogValve" pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%{sanitized.query}r %H" %s %b %D "%{sanitized.referer}r" "%{User-Agent}i" "%{jira.request.assession.id}r""/> </Engine>
Note
By adding showReport="false" to the valve, Tomcat will only return the HTTP code as HTML.
Ref: Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve
Attachments
Issue Links
- is related to
-
CONFSERVER-59562 Tomcat version information disclosed when calling REST endpoints
- Closed
- mentioned in
-
Page Loading...