Thank you Robert for your reply. If we upgrade the tomcat version from the current 8.5.38 to 8.5.61 will this remediate the findings or still we need to delete these files as suggested.
Also, is this upgrade is straightforward, or do we need to perform the same with any specific steps, Please suggest. I am from a Windows Administrator background and hence facing these challenges, So expecting help from you and this group. On Thu, Jan 21, 2021 at 8:06 PM Robert Turner <rtur...@e-djuster.ca> wrote: > Have a look at > https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html > . The documentation includes the recommendations made by your internal > security team, along with others. > > You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest > security updates for Tomcat. (latest versions at time of writing) > > > If you are unsure how to delete the files as mentioned in your security > teams recommendations and the documentation, you have two approaches that I > can think of quickly: > > 1. Remove the files from the installation folder (by navigating to the > installed folder under program files, in "webapps" and removing the > files/folders). > > 2. Create a new CATALINA_BASE folder with only what you need, and > reconfigure the Windows service to use the new folder. (Use the Configure > Tomcat application shortcut, and change the "catalina.base" property passed > to Java when starting the service to point to your new folder with only the > things you need (start with a copy of the Tomcat installation folder, > remove "bin" and "lib" and the webapps/files you do not need.). This > approach avoids modifying the original installation files/folders. > > You may also be able to modify the installation settings of the application > using Add or Remove Programs in Windows Control Panel to remove the example > applications if you'd prefer that approach instead of #1 above, but that > might require reinstalling Tomcat again. > > Best of luck, > > Robert > > > On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam <nitinkadam1...@gmail.com> > wrote: > > > Hi Team, > > > > The internal security team reported below as Security findings. We do not > > have anyone from a Tomcat background and for same we need to know the > best > > steps to resolve this issue. > > > > "Delete the default index page and remove the example JSP and servlets. > > Follow the Tomcat or OWASP instructions to replace or modify the default > > error page." > > > > this is fiding from the Nessus tool, It would be great if someone helps > > with steps to resolve. > > > > APache tomcat version: 8.5.38 > > Operating system: Windows Server 2012 R2 > > > > > > -- > > Regards > > Nitin Kadam > > (9967688959) > > > -- Regards Nitin Kadam (9967688959)
