Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassianAdridiJRASERVER-73263
HistoryFeb 08, 2022 - 11:13 a.m.

Tomcat should not disclose its own version to unauthenticated users

2022-02-0811:13:13
adridi
jira.atlassian.com
10
tomcat
unauthenticated users
404 error
version disclosure
error report valve
JSON

h3. Problem Definition
When accessing URLs that aren’t under the application context and are not defined in Tomcat, Tomcat returns a 404 along with its own version.
h4. +Steps to reproduce problem+

  • In a Jira instance with a context called jira for instance, browse http://<HOSTNAME>/non_existent_uri. Make sure you don’t add the context to the URL. Otherwise, Jira will return the 404 page and not Tomcat.
  • Tomcat discloses its own version.

h3. Suggested Solution
404 should be displayed but Tomcat shouldn’t disclose its own version

h3. Workaround
Alter the behavior of the error reporting by adding the following entry to your server.xml file:
{code:xmlborderStyle=solid|borderColor=#6A8EB3|bgColor=#F8F8F8}
<Valve className=“org.apache.catalina.valves.ErrorReportValve” showReport=“false” showServerInfo=“false”/>
{code}
Make sure the valve is not added within the Jira context but rather at the higher hierarchy level. Example:
{code:borderStyle=solid|borderColor=#6A8EB3|bgColor=#F8F8F8}
<Engine name=“Catalina” defaultHost=“localhost”>
<Host name=“localhost” appBase=“webapps” unpackWARs=“true” autoDeploy=“true”>

            &lt;Context path="j8201" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true"&gt;
                &lt;Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
                          factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/&gt;
                &lt;Manager pathname=""/&gt;
                &lt;JarScanner scanManifest="false"/&gt;
                &lt;Valve className="org.apache.catalina.valves.StuckThreadDetectionValve" threshold="120" /&gt;
            &lt;/Context&gt;
            &lt;Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/&gt;

        &lt;/Host&gt;
        &lt;Valve className="org.apache.catalina.valves.AccessLogValve"
               pattern="%a %{jira.request.id}r %{jira.request.username}r %t &quot;%m %U%{sanitized.query}r %H&quot; %s %b %D &quot;%{sanitized.referer}r&quot; &quot;%{User-Agent}i&quot; &quot;%{jira.request.assession.id}r&quot;"/&gt;
    &lt;/Engine&gt;

{code}
h4. +Note+
By adding {{showReport=“false”}} to the valve, Tomcat will only return the HTTP code as HTML.
Ref: [Apache Tomcat 8 Configuration Reference > The Valve Component > Error_Report_Valve|https://tomcat.apache.org/tomcat-8.5-doc/config/valve.html#Error_Report_Valve]

Affected configurations

Vulners
Node
atlassianjira_data_centerRange8.21.1
OR
atlassianjira_data_centerRange9.4.4
VendorProductVersionCPE
atlassianjira_data_center*cpe:2.3:a:atlassian:jira_data_center:*:*:*:*:*:*:*:*
JSON