Error Handling - Do not include error details in the default jsp error pages 

Issue date: 27-10-2020
Affects versions: 14.2, 13.4, 12.6

Security Issue ID

SECURITY-140

Affected Product Version(s)

14.2.2, 13.4.3, 12.6.10 (and previous patch releases)

Severity 

medium

Description

The error page templates created as default when using the Bloomreach Experience Manager archetype display information about the class of the exception when a 500 Internal Server Error occurs. This is an unnecesaary internal implementation detail that should not be revealed to users. For more information on writing custom error pages see Handle Error Codes and Exceptions in web.xml. For more information on best practices for handling site errors see the OWASP page for Improper Error Handling.

Instructions

When generating a new bXM project, use the Maven archetype version 14.3.0 and above, or 13.4.4 and above. This ensures that the default error pages for newly generated projects do not include unneeded details.

Customers are recommended to verify that existing projects follow recommendations for Error Handling and to update them according to Handle Error Codes and Exceptions in web.xml as needed.