On 31/10/2025 04:54, Gagandeep Singh Rawat wrote:
Hi Team
I am getting below error which is expected but tomcat reply show its
version and it is vulnerabilities detected by our VAPT team.
That isn't a vulnerability.
You should be running a Tomcat version either with no known, published
vulnerabilities or one where you know that the known published
vulnerabilities do not apply to your configuration.
If you aren't doing the above then you are knowingly running a Tomcat
version with a known vulnerability that impacts your configuration and
that IS a problem. And hiding the version number won't change that.
A potential attacker knowing the version of Tomcat you are running
doesn't change any of the above.
Hiding the version number from an attacker doesn't change any of the
above or improve your security any meaningful way.
Can you advise how can I change the source file so that it does not show
version on response.? I could handle 404 error by placing 404.html file
in /ROOT/ directory however same is not applicable in 400 response.
Wrong question. You are assuming the solution requires a source code change.
If you need to hide the version number so that you can tick a box in a
"security" checklist then you have a few options.
Several of those options are described at:
https://tomcat.apache.org/tomcat-11.0-doc/security-howto.html#Valves
Alternatively look at the benefits of configuring the "errorCode.0"
attribute (and possible individual error codes) on the Error Report Valve:
https://tomcat.apache.org/tomcat-11.0-doc/config/valve.html#Error_Report_Valve
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
