Nitin, Upgrading the Tomcat version will not remediate those specific findings (they aren't Tomcat version related, but they are related to how the installation was configured/installed) . Newer versions contain numerous fixes, including a number of security fixes, that really should be applied to the server if security is of any concern at all. I suggest you treat upgrading as a separate activity from remediating the security team's findings.
To remediate the findings, you will still need to remove the files as per the security team's recommendations. Removing the files is relatively straight-foward. (At this point, I strongly suggest you have a backup in case of problems....) Locate the installation folder (typically C:\Program Files\Apache Software Foundation\Tomcat 8.5\) and then delete the relevant files and folders from the "webapps" folder. Be sure to remove only the undesired files, and be careful modifying the "ROOT" application as you may have unintentional side-effects if you aren't fully aware of how it is working (it may interact with your application in some way -- or it may not). Also be sure you know what each of the files or folders are for (i.e. your application, etc). For instance, removing the "docs" and "examples" can be done by removing the following folders from the CATALINA_BASE folder: webapps\docs webapps\examples Please note that if your installation already has a split CATALINA_BASE and CATALINA_HOME, you will need to locate the CATALINA_BASE folder. CATALINA_HOME will be the standard installation folder mentioned above. By default CATALINA_BASE is the same as CATALINA_HOME on an out-of-the-box Windows installation. If I remember correctly, the Tomcat installation program (last I used it), did not support retaining the service settings, or installing over top of the existing service. As such, upgrading Tomcat on Windows first requires removing the existing installation and uninstalling the service. I thus strongly suggest transcribing all the settings from the "Configure Tomcat" application, and taking a full copy of the installation folder as a backup first. It's likely that all customizations have been made directly in the installation folder, unless someone has configured a separate CATALINA_BASE folder. I strongly encourage you to experiment on a non-production system with Tomcat and a basic web application so that you can get familiar with the basic administration aspects of the system. Also, reading the documentation on the web site would also probably be well worth your time if you are going to be maintaining this system going forward. Exploring the existing installation without changing anything (looking at the settings for the service, and the location of files) would also be a really good idea (if you haven't already done so). If you do not have time however, I am sure you can find an experienced consultant to address this in around 1-2 hours. It's not difficult to remedy (or upgrade), but it does require some experience and knowledge of how the system works, and how the individual server is set up (but that can usually be discovered without too much trouble). -- Splitting CATALINA_BASE and CATALINA_HOME and Upgrading Tomcat on Windows -- I have linked below to a PDF [1] of a document one of my staff wrote some time ago in preparation for "splitting" our installation to minimize upgrade headaches and to upgrade the installed software. The document is not 100% accurate (I know there are some errors), nor is it super-easy to follow, but it will give you an idea of how to split the CATALINA_HOME and CATALINE_BASE folders, and also how to upgrade Tomcat. This document applies to migrating and upgrading _our_ past installation on Windows Server 2008 R2, with Tomcat 8.5.x. _Your_ installation is bound to be _different_, and you will need to examine the configuration of the Tomcat service, as well as where files are installed (among other things) to be sure you understand all the details before going ahead with any changes. Hopefully this information will point you in the right general direction and give you some idea of where to start looking if you want to split CATALINA_BASE and CATALINA_HOME, and upgrade Tomcat to a newer version. [1] https://drive.google.com/file/d/1MHPsqgGCMSgoEWNvbZ0ImFX5gARxavaE/view?usp=sharing -- Advice -- This section isn't trying to be confrontational, I'm just offering some candid advice in response to the last part of your email. I hope you won't take it in a negative way. I don't think you should _expect_ help from this group or from me. I am hoping that "expect" was an unfortunate choice of words. I know English isn't everyone's first language, and words do not always translate very well. Given that I suspect no-one is paid to respond to this group, if you _expect_ detailed step-by-step guidance from the group, you might be setting your expectations a bit high, and you may come away frustrated or disappointed as a result. To best benefit from this group, a person needs to put in a reasonable amount of effort to try to learn how Tomcat works, and how their installation is set up and working (or not working as the case may be). Once that is achieved, it is easier for that person to then describe their Tomcat installation, and pose specific questions about their problems, and then, the group would likely be more able (and willing) to provide help to solve them. If, for whatever reason, you don't have enough time to learn how it works and/or how your instance is set up, I strongly suggest looking for an experienced _paid_ consultant to do the work for you. (I do not have any suggestions on where to look for one though.) Robert On Thu, Jan 21, 2021 at 10:43 PM Nitin Kadam <nitinkadam1...@gmail.com> wrote: > Thank you Robert for your reply. > > If we upgrade the tomcat version from the current 8.5.38 to 8.5.61 will > this remediate the findings or still we need to delete these files as > suggested. > > Also, is this upgrade is straightforward, or do we need to perform the same > with any specific steps, Please suggest. > > I am from a Windows Administrator background and hence facing these > challenges, So expecting help from you and this group. > > On Thu, Jan 21, 2021 at 8:06 PM Robert Turner <rtur...@e-djuster.ca> > wrote: > > > Have a look at > > https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html > > . The documentation includes the recommendations made by your internal > > security team, along with others. > > > > You may also want to upgrade to 8.5.61 or 9.0.41 to pick up the latest > > security updates for Tomcat. (latest versions at time of writing) > > > > > > If you are unsure how to delete the files as mentioned in your security > > teams recommendations and the documentation, you have two approaches > that I > > can think of quickly: > > > > 1. Remove the files from the installation folder (by navigating to the > > installed folder under program files, in "webapps" and removing the > > files/folders). > > > > 2. Create a new CATALINA_BASE folder with only what you need, and > > reconfigure the Windows service to use the new folder. (Use the Configure > > Tomcat application shortcut, and change the "catalina.base" property > passed > > to Java when starting the service to point to your new folder with only > the > > things you need (start with a copy of the Tomcat installation folder, > > remove "bin" and "lib" and the webapps/files you do not need.). This > > approach avoids modifying the original installation files/folders. > > > > You may also be able to modify the installation settings of the > application > > using Add or Remove Programs in Windows Control Panel to remove the > example > > applications if you'd prefer that approach instead of #1 above, but that > > might require reinstalling Tomcat again. > > > > Best of luck, > > > > Robert > > > > > > On Thu, Jan 21, 2021 at 9:24 AM Nitin Kadam <nitinkadam1...@gmail.com> > > wrote: > > > > > Hi Team, > > > > > > The internal security team reported below as Security findings. We do > not > > > have anyone from a Tomcat background and for same we need to know the > > best > > > steps to resolve this issue. > > > > > > "Delete the default index page and remove the example JSP and servlets. > > > Follow the Tomcat or OWASP instructions to replace or modify the > default > > > error page." > > > > > > this is fiding from the Nessus tool, It would be great if someone helps > > > with steps to resolve. > > > > > > APache tomcat version: 8.5.38 > > > Operating system: Windows Server 2012 R2 > > > > > > > > > -- > > > Regards > > > Nitin Kadam > > > (9967688959) > > > > > > > > -- > Regards > Nitin Kadam > (9967688959) >
