Information disclosure from host response

Issue

ColdFusion users have reported that under certain circumstances, the Tomcat server responds to requests with a verbose error report, which exposes limited technical information about the environment.

This issue can be resolved with the following workaround.

Workaround

  1. Stop ColdFusion server.

  2. Navigate to [Instance Home]\runtime\conf\server.xml.

    It is a good practice to back up server.xml before making changes.

  3. In the Host node, add the following

    <Valve  
                   className="org.apache.catalina.valves.ErrorReportValve" 
                   showReport="false" 
                   showServerInfo="false"  
    />

    You can also refer to the following Tomcat documentation:

  4. The updated server.xml file is shown below:

    <Host autoDeploy="false" appBase="webapps" name="localhost" unpackWARs="false"> 
        <Valve className="org.apache.catalina.valves.ErrorReportValve" showReport="false" showServerInfo="false"/> 
    . 
    . 
    . 
    </Host>
  5. Restart ColdFusion.

Custom error page

You can add a custom error page in ColdFusion (2018 release).

To customize the message, add the following:

errorCode.<Status Code>="Path to error page relative to the runtime folder"

For example, to customize a page for Error 500, add the following in <Valve/> in server.xml.

<Valve  
                className="org.apache.catalina.valves.ErrorReportValve"  
                showReport="false"  
                showServerInfo="false" 
                errorCode.500="../wwwroot/WEB-INF/exception/Error.html" 
/>

You must create the custom error page and place in the specified folder.