Deployment - Vulnerability Scanner Showing Finding For SonarQube (12085 - Apache Tomcat Default Files)

Hello,

We use Nessus to assess servers for vulnerabilities in our environment. When scanning our server being used for SonarQube, we are showing a finding for Tomcat default files being present. https://www.tenable.com/plugins/nessus/12085

When testing a non-existent path under the sonarqube context (e.g. http://server.com:9000/sonarqube/badpath), we received a custom error page (this is the desired functionality).

However, when accessing a page outside of the sonarqube context (e.g. http://server.com:9000/badpath), we receive the default apache error page, which includes tomcat version information. It appears that tomcat might be embedded, so i don’t see any applicable conf files where we could change this behavior.

Is there any way to disable/modify the tomcat error page?

As a mitigation, we put sonarqube behind an apache service so we can control the error show for non-existent paths, but this doesn’t necessarily solve the core complaint of the vulnerability scanner.

Thank you for any help you can provide.

Hi,

Welcome to the community & thanks for your report!

I’ve forwarded this post to our security team. So you know, our disclosure policy calls for a more private reporting of potential vulnerabilities, so I’ve “unlisted” this topic for now (keeps it out of Google & digests &etc). Once we sort things out (e.g. fix) we’ll un-unlist the topic.

 
Ann

Hi Ann,

Thank you. Also, I apologize for the confusion on the disclosure policy. I think this particular vulnerability in the nessus scanner isn’t an actual vulnerability in sonarqube, but more so a “suggestion” to not display the tomcat server version. (It gives attackers more information to potentially exploit an issue in the version of tomcat be used, if a new vulnerability was found/etc in that version.). I was not trying to suggest sonarqube has an actual vulnerability.

1 Like

Hi,

The take on this is that it’s not a security problem since SonarQube is open source & the version of Tomcat is public by default. However, a UI ticket has been created to improve this.

 
Ann