Apache Tomcat sample files
Description
Apache Tomcat installations using default configurations include example applications and sample files (such as documentation, demos, and default web applications) that can expose sensitive system information. These files may reveal server configuration details, directory structures, software versions, and other technical information that attackers can leverage during reconnaissance to plan targeted attacks against the application or server.
Remediation
Remove all default example applications and sample files from production Tomcat installations. This includes:
1. Delete the following directories from the webapps folder:
- examples
- docs
- ROOT (if not used for your application)
- host-manager
- manager (unless required and properly secured)
2. Verify removal by checking the webapps directory:
ls -la $CATALINA_HOME/webapps/
3. Restart Tomcat to ensure changes take effect:
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
4. For automated deployments, configure your deployment scripts to exclude these directories during installation. Consider using a minimal Tomcat distribution or creating a custom base image without example applications.