STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Secured connectors must be configured to use strong encryption ciphers.

DISA Rule

SV-222927r615938_rule

Vulnerability Number

V-222927

Group Title

SRG-APP-000014-AS-000009

Rule Version

TCAT-AS-000020

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element.

Add the SSLEnabledProtocols="TLSv1.2" setting to the connector or modify the existing setting.

Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

Check Contents

From the Tomcat server console, run the following command:

sudo grep -i ciphers $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure.

For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

If insecure ciphers are configured for use, this is a finding.

Vulnerability Number

V-222927

Documentable

False

Rule Version

TCAT-AS-000020

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo grep -i ciphers $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element that is not a redirect to a secure port. Identify the ciphers that are configured on each connector and determine if any of the ciphers are not secure.

For a list of approved ciphers, refer to NIST SP 800-52 section 3.3.1.1.

If insecure ciphers are configured for use, this is a finding.

Check Content Reference

M

Target Key

4094

Comments