Stack Trace Disclosure (Tomcat)
Description
The application exposes detailed stack traces from Apache Tomcat when errors occur. Stack traces are diagnostic messages that reveal the internal execution flow of the application, including file paths, code structure, framework versions, and configuration details. While useful for debugging, exposing these traces to end users creates an information disclosure vulnerability that attackers can exploit to understand the application's architecture and identify potential attack vectors.
Remediation
Implement proper error handling to prevent stack traces from being displayed to end users:
1. Configure custom error pages in web.xml:
<error-page> <exception-type>java.lang.Throwable</exception-type> <location>/error.jsp</location> </error-page> <error-page> <error-code>500</error-code> <location>/error.jsp</location> </error-page>
2. Implement centralized exception handling:
try {
// Application code
} catch (Exception e) {
// Log detailed error information securely
logger.error("Error processing request", e);
// Display generic error message to user
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
"An error occurred. Please contact support.");
}3. Disable detailed error messages in production:
Set the following in your Tomcat server.xml or context.xml:
<Valve className="org.apache.catalina.valves.ErrorReportValve"
showReport="false"
showServerInfo="false" />4. Ensure all exceptions are logged securely to internal logging systems where developers can access them for debugging without exposing details to users.