IDPA: Apache Tomcat default installation and or welcome page installed on IDPA ACM

Summary: The article provides a workaround for Security Vulnerabilities for "Apache Tomcat default installation and or welcome page installed" detected on ACM.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Note: This article is aimed at PowerProtect Data Protection (DP) Series Appliances and Integrated Data Protection Appliance (IDPA) version 2.7.6 and 2.7.9.
For PowerProtect DP Series Appliances and IDPA versions 2.7.2, 2.7.3, and 2.7.4, see KB IDPA: Security Vulnerabilities for Apache Tomcat default installation.
For other IDPA versions with the same issue on different Apache Tomcat versions, the workaround is similar, but on a different Tomcat directory. 


If the following security vulnerability was detected on the IDPA ACM version 2.7.6:

Vulnerability Title Components Service Port Vulnerability Severity Level Vulnerability ID Vulnerability Proof
Apache Tomcat default installation and or welcome page installed ACM 8543 5 apache-tomcat-default-install-page Running an HTTPS service

Product Tomcat exists -- Apache Tomcat 9.0.82.

HTTP GET request to https://<ACM IP>:8543/
HTTP response code was an expected 200
26: <h1>Apache Tomcat/9.0.82</h1> 27: </div> 28: <div id="upper" class="curved container"> 29: <div id="congrats" class="curved container"> 30: ... this, you've successfully installed Tomcat. Congratulations!</h2>

 

NOTE: A fix for this issue has been added to the goidpa tool, follow the below KB to install goidpa:

PowerProtect Data Protection Appliance: GoIDPA too

Then run the following command on the ACM:

./goidpa appliance index-fix

 


Here is the manual procedure to work around the issue:

  1. Log in to the ACM as root.
  2. Change the working directory to /usr/local/dataprotection/apache-tomcat-9.0.82/webapps/ROOT (in 2.7.9 this is /usr/local/datarprotection/tomcat/webapps/ROOT)
cd /usr/local/dataprotection/apache-tomcat-9.0.82/webapps/ROOT

 

Note: For other IDPA software versions, the Apache Tomcat directory is different, and a wildcard can be used: 
cd /usr/local/dataprotection/apache-tomcat-9.0.*/webapps/ROOT

 

  1. Move the index.jsp to index.jsp.default
mv index.jsp index.jsp.default

 

  1. Create a new index.jsp with the following content:
<html>
<body>
<%
response.sendRedirect("../dataprotection/");
%>
</body>
</html>
  1. Verify the index.jsp and it should look like the following:


An example of how index.jsp should look after the edit
Figure 1: An example of how index.jsp should look after the edit 
 

  1. Change the owner and file permission of the newly created index.jsp
chmod 755 index.jsp
chown idpauser:idpauser index.jsp


The owner and permission setting of the index.jsp
Figure 2: The owner and permission settings of the index.jsp
 

  1. Validate the changes in the ACM command line; both of the following commands should have the same result:
curl -kv https://localhost:8543

Or

curl -kv https://<ACM IP address>:8543

The expected result should be similar to the following:
An example of the curl command output
Figure 3: An example of the curl command output
 

  1. Open a web browser and access the ACM web page 
https://<ACM IP Adddress>:8543/ 

It should redirect automatically to:

https://<ACM IP Adddress>:8543/dataprotection/#/login
  1. The vulnerability should have been resolved. Contact Support for further assistance if needed. 

Additional Information

If the ACM web page shows an "HTTP Status 500 - Internal Server Error" after following the workaround.

For example:
An example of "HTTP Status 500 - Internal Server Error"
Figure 4: An example of "HTTP Status 500 - Internal Server Error"

Log in to the ACM by SSH as the root user then restart the ACM service with the following commands: 
service dataprotection_webapp stop
service dataprotection_webapp start
Then try to log in to the ACM web page again. Contact Support for further assistance if needed. 
 

Affected Products

PowerProtect Data Protection Appliance, PowerProtect DP4400, PowerProtect DP5300, PowerProtect DP5800, PowerProtect DP8300, PowerProtect DP8800, Integrated Data Protection Appliance Family, Integrated Data Protection Appliance Software , PowerProtect DP5900, PowerProtect DP8400, PowerProtect DP8900 ...
Article Properties
Article Number: 000223313
Article Type: How To
Last Modified: 03 Sept 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.