Known Issue: FME Server Apache Tomcat Vulnerability with Default Files

Liz Sanderson
Liz Sanderson
  • Updated
Known Issue ID FMESERVER-10753
Discovery 2018
Affects All Versions
Resolved 2022.2

Symptom 

A security scan of FME Server has reported a vulnerability with the use of default files in Apache Tomcat. The report may be similar to that below, this is an example from the vulnerability scanner Nessus.

Synopsis: The remote web server contains default files.

Description: The default error page, default index page, example JSPs and/or example servlets are installed on the remote Apache Tomcat server. These files should be removed as they may help an attacker uncover information about the remote Tomcat install or host itself.

Solution: Delete the default index page and remove the example JSP and servlets. Follow the Tomcat or OWASP instructions to replace or modify the default error page.
 

Cause

The vulnerability with default files is referring to the error pages that are returned when you go to a non-existent URL endpoint from the root of your FME Server. For example https://<hostname>/testing


The vulnerability is highlighting that this page discloses the technology stack as Tomcat. It is expected that these pages should be FME Server branded like if you were to go to a URL endpoint that does not exist from one of FME Server's web apps e.g. https://<hostname>/fmeserver/testing


Resolution

Note in FME Server 2022.2 and newer option 3 is deployed with the installation by default. 


Option 1: Create Custom Error Page

Create your own custom error pages for the ROOT webapp in tomcat. 

  1. Open a text editor as an administrator and open web.xml located in <FMEServerInstallDir>\Utilities\tomcat\conf
  2. Go to the bottom of the page and above closing </web-app> element add in the following:
    <error-page>
        <error-code>404</error-code>
        <location>/error.jsp</location>
    </error-page>
    <error-page>
        <error-code>403</error-code>
        <location>/error.jsp</location>
    </error-page>
    <error-page>
        <error-code>500</error-code>
        <location>/error.jsp</location>
    </error-page>
  3. Go to <FMEServerInstallDir>\Utilities\tomcat\webapps\ROOT and create a new file called error.jsp. You can customize the contents of this file however you wish. This will be the new page that is returned if you stumble across an error at the root URL of your FME Server. The simple example I used in my testing was:
    <!doctype html>
    <title>Something went wrong!</title>
    <body>
    <p>There was an error accessing FME Server, please return to <a href="https://<hostname>/fmeserver"https://<hostname>/fmeserver</a> and start again.</p>
    </body>
  4. Restart the FME Server Web Application Server Service
  5. Navigate to http(s)://<hostname>/testing and you should now see your custom HTML page.

Note: If you would prefer you can create a different .jsp page for each error code and edit the location tags in step 2 to point to the name of each new page.
 

Option 2: Disable Tomcat Name/Version

Create ServerInfo.properties file to hide the Tomcat Name and Version from the default error page.

  1. Go to <FMEServerInstallDir>\Utilities\tomcat\lib and create additional folders org\apache\catalina\util
  2. Create a new properties file with the name ServerInfo.properties inside the new util folder
  3. Edit the file and add the line server.info=Application Server
  4. Save the file and restart the FME Server Web Application Server Service
  5. Navigate to http(s)://<hostname>/testing and you should now see 'Application Server' instead of 'Apache Tomcat/Version'

404RemoveTomcat.png


Option 3: Hide Tomcat Name/Version and Message Details

Note, this configuration is included by default in FME Server 2022.2 and newer. 

  1. Open a text editor as an administrator and open server.xml located in <FMEServerInstallDir>\Utilities\tomcat\conf
  2. Go to the bottom of the page and below the closing </Host> tag insert the following:
    <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false" /> 
  3. Save the file and restart the FME Server Web Application Server Service
  4. Navigate to http(s)://<hostname>/testing and you should now see only the error code is reported.

Screen Shot 2022-10-18 at 3.59.06 PM.png


Troubleshooting

For option one, If using Internet Explorer as your web browser you will need to enable ‘Friendly Error Messages’ for this page to display correctly. 
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.