VMware Cloud Community
fmorrison42
Contributor
Contributor
‎12-10-2018 02:51 PM

vCenter / Apache Tomcat Default Error Page files Vulnerability

Has anyone else come across a vulnerability detected by their scanner that described 'a default error page was found to be installed on the remote Apache Tomcat server.'

According to the remediation recommendation, it says the files should be removed or adjusted so they do not return generic, default information. I have followed the Apache instructions but cannot find where in the vCenter files the correct .xml would be to adjust, if there even would be one.

Any suggestions?

Reply
0 Kudos
4 Replies
ronikh
Contributor
Contributor
‎02-11-2019 02:45 AM

Hey Fmorrison,

i have the same issues on all my vcenters, cant find a solution yet.

Reply
0 Kudos
Vijay2027
Expert
Expert
‎02-11-2019 01:44 PM

What version of vc is this?

Share output of vpxd -v

Reply
0 Kudos
ronikh
Contributor
Contributor
‎02-12-2019 12:10 AM

6.0.0.30800 Build Number 9448190
and
6.7.0.21000 Build Number 11726888

Reply
0 Kudos
Vijay2027
Expert
Expert
‎02-12-2019 05:50 AM

Per release notes I see the issue is resolved in vCSA 6.5U2d:

VMware vCenter Server 6.5 Update 2d Release Notes

Snippet from release notes:

====================================================

Apache server details, such as version, might appear on vCenter Server urls

Apache server details, including the version, might appear on vCenter Server urls, such as https:// :9443/vsphere-client/inventory-viewer/locales/help . The Apache server details might be visible for all the context present in the product. 

This issue is resolved in this release.

=================================================

AFAIK for 6.0 and 6,7 the fix will be available in next update (or patch) release.

File a request with VMware support, I think they would give you more information regarding this.

Reply