Narayana Tutorial

Online Java Tutorial Blog

How to disable Apache Tomcat Server version

 

By default Apache Tomcat server version exposed and leads security issue.There are three approaches to hide the Apache Tomcat server version. In which easy-st way is adding one of the attribute in server.xml

How to check Apache Tomcat Server version details

Open command prompt from windows and then go to Apache Tomcat server lib location by using CD command like as follows.

C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.26\lib

D:\Tools\Apache\apache-tomcat-6.0.26\lib>java -cp catalina.jar org.apache.catalina.util.ServerInfo

 

Output

Server version: Apache Tomcat/6.0.26
Server built:   March 9 2010 1805
Server number:  6.0.26.0
OS Name:        Windows 7
OS Version:     6.1
Architecture:   amd64
JVM Version:    1.8.0_131-b11
JVM Vendor:     Oracle Corporation

 

Approach 1

By adding the server attribute in server.xml

This approach will disclose the Apache Tomcat version in the response header not in the error page.

server.xml path : C:/<Apache-Tomcat-Installation-Directory>/conf/server.xml

Note: Take server.xml as backup for safe purpose.

Example

<Connector port="8084" protocol="HTTP/1.1" connectionTimeout="20000"  
enableLookups="false" redirectPort="8443" server="Apache Tomcat"  />

This is the easy-st way to disclose the Apache Tomcat server version.

Output

You can find the changes highlighted in yellow color in the below image.

The above changes are reflected in the response header not in the any error page.

You can see the error page still having the Apache Tomcat Server Version details as follows

To disclose the above Apache Tomcat server version in the error page, we can follow the Approach 2 or Approach 3 in the below

Approach 2

By modifying the ServerInfo.properties which is exist inside catalina.jar. Need to extract the file and then modify and add it into the same place. You can find the below steps how to modify serverinfo.properties.

ServerInfo.properties file location in catalina.jar is /org/apache/catalina/util/ServerInfo.properties

 

Step 1

Take backup of catalina.jar file which is exist in this location C:/<Apache-Tomcat-Installation-Directory>/lib/catalina.jar

 

Step 2

Create folder inside lib folder like catalina and then copy the jar into it.  and then extract the jar as follows.

C:\Users\narayanatutorial>cd D:\Tools\Apache\apache-tomcat-6.0.26\lib

D:\Tools\Apache\apache-tomcat-6.0.26\lib>mkdir catalina

D:\Tools\Apache\apache-tomcat-6.0.26\lib>cd catalina 

D:\Tools\Apache\apache-tomcat-6.0.26\lib\catalina>jar xf catalina.jar org/apache/catalina/util/ServerInfo.properties

And then you can find the ServerInfo.properties file in that location and then open it in notepad to edit.

server.info=Apache Tomcat/8.5.4
server.number=8.5.4.0
server.built=Jul 6 2016 08:43:30 UTC

Here you can modify the server.info=Apache Tomcat/8.5.4  to  server.info=Apache Tomcat and then save it.

 

Step 3

After saving, you have to add it into same place into catalina.jar by executing the following command.

D:\Tools\Apache\apache-tomcat-6.0.26\lib\catalina>jar uf catalina.jar org/apache/catalina/util/ServerInfo.properties

And then copy the catalina.jar into main location C:/<Apache-Tomcat-Installation-Directory>/lib/

If it will ask replace then you can replace it and then start the Apache Tomcat Server and check the same way as follows.

D:\Tools\Apache\apache-tomcat-6.0.26\lib> java -cp catalina.jar org.apache.catalina.util.ServerInfo Output server.info=Apache Tomcat server.number=8.5.4.0 server.built=Jul 6 2016 08:43:30 UTC

 

Approach 3

  • Open command prompt
  • Go to Tomcat lib folder
  • Create folder like org/apache/catalina/util
D:\Tools\Apache\apache-tomcat-6.0.26\lib>mkdir org\apache\catalina\util

D:\Tools\Apache\apache-tomcat-6.0.26\lib>
  • Create empty file like ServerInfo.properties inside org/apache/catalina/util
  • Add the line like server.info=Apache Tomcat Version X
  • Save it
  • Restart / Start the Tomcat server

 

After starting the server, you can give any wrong application url or tomcat wrong url then you can see the below output.

References

https://www.owasp.org/index.php/Securing_tomcat

 

I hope you understood now to disable Apache Tomcat Server version in the response header and error page with different approaches to fix security issue. Please reply a comment if any assistance required.

 

Narayanaswamy

Hello! I am Narayanaswamy founder and admin of narayanatutorial.com. I have been working in IT industry more than 7 years. NarayanaTutorial is my web technologies blog. My specialties are Java / J2EE, Spring, Hibernate, Struts, Webservices, PHP, Oracle, MySQL, SQLServer, Web Hosting and Website Development.

I am a self learner and passionate about training and writing. I am always trying my best to share my knowledge through my blog.

Leave a Reply

Narayana Tutorial © 2018 Frontier Theme
Show Button
Hide Button