The default error pages provide a detailed report and server version by default. To prevent information disclosure and gathering this default behaviour should be changed to not to report this information. This could probably be done by setting public class ErrorReportValve extends ValveBase { private boolean showReport = false; private boolean showServerInfo = false; }
Discussion of this topic - if desired - belongs on the users list.