There was a "bug" fixed in the apache webserver somewhere back in 1.3 (maybe 1.3.26 or so) to hide the exact version number in error messages. Has there been any consideration to doing the same in Tomcat? The reason for the change was that in knowing the exact version, a hacker might be able to exploit a vulnerability known in that particular version. I know there are ways to hide the exact version by creating custom errorLogValves and such, but it seems I should have to. Also, I am not sure what all classes I need to override to get rid of all the version numbers. This may seem a minor point, but security folks love to make big issues out of minor points like this. I am not sure which Tomcat component this falls into, probably several since many things handle their own error messages
You can do it already.