As the concern is that an erro page will show the tomcat version/patch info AND a stacktrace,\ I found the easier/better? solution to be adding ..... showReport="false" showServerInfo="false" to the Error Report Valve section at the bottom of server.xml (and addin or or uncommenting that valve section...):
<Valve className="org.apache.catlina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> On Wed, Jun 3, 2020 at 5:40 AM Martin Grigorov <mgrigo...@apache.org> wrote: > On Wed, Jun 3, 2020 at 11:14 AM FANG YAP <fangg...@gmail.com> wrote: > > > Hello Martin, > > > > It is to say that I have to declare something like this in web.xml file? > > > > <error-page> > > <exception-type>java.lang.Exception</exception-type> > > <location>/error.jsp</location> > > > > Better use the error-code ones from the StackOverflow link I gave you. > Your approach will cover only error code 500 (for Exceptions, but not for > java.lang.Error) and won't cover NotFound (404) and the others. > I guess Nessus won't be totally happy with your approach. > > > > > > Regards with Thanks, > > > > Fang > > > > On Wed, 3 Jun 2020, 15:56 Martin Grigorov, <mgrigo...@apache.org> wrote: > > > > > Hi, > > > > > > On Wed, Jun 3, 2020 at 5:53 AM FANG YAP <fangg...@gmail.com> wrote: > > > > > > > Resend > > > > > > > > On Wed, 3 Jun 2020, 10:10 FANG YAP, <fangg...@gmail.com> wrote: > > > > > > > > > Hi Tomcat, > > > > > > > > > > Nessus scanned and found issue in Apache Tomcat Port 8080 > > > > > > > > > > Port: 8080 > > > > > Plugin Text: > > > > > The server is not configured to return a custom page in the event > of > > a > > > > > client requesting a non-existent resource. This may result in a > > > potential > > > > > disclosure of sensitive information about the server to attacker. > > > > > > > > > > Apache Tomcat Version: 8.5.43 > > > > > JDK 8: 1.8.0_212 (Will be upgrading to latest soon to latest > > 1.8.0_251) > > > > > > > > > > To configure custom error pages and thus to suppress this issue you > can: > > > 1) use ErrorReportValve > > > < > > > > > > https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve > > > > > > > > > > 2) configure error-page elements in your application web.xml - > > > https://stackoverflow.com/a/7066536/497381 > > > > > > > > > > > > > > > > Your assistance would be greatly appreciated > > > > > > > > > > Rgs, > > > > > Fang > > > > > > > > > > > > > > >
