STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

TLS 1.2 must be used on secured HTTP connectors.

DISA Rule

SV-222929r615938_rule

Vulnerability Number

V-222929

Group Title

SRG-APP-000015-AS-000010

Rule Version

TCAT-AS-000040

Severity

CAT II

CCI(s)

• CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.
• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.

Weight

10

Fix Recommendation

As a privileged user on the Tomcat server, edit the $CATALINA_BASE/conf/server.xml and modify the <Connector/> element.

Add the "SSLEnabledProtocols=" flag to the connector or modify the existing flag.

Set SSLEnabledProtocols="TLSv1.2". Save the server.xml file and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl reload-daemon

Check Contents

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element.

For every HTTP protocol connector:
Verify the SSLEnabledProtocols="TLSv1.2" flag is set on each connector.

If the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.

Vulnerability Number

V-222929

Documentable

False

Rule Version

TCAT-AS-000040

Severity Override Guidance

From the Tomcat server console, run the following command:

sudo cat $CATALINA_BASE/conf/server.xml.

Examine each <Connector/> element.

For every HTTP protocol connector:
Verify the SSLEnabledProtocols="TLSv1.2" flag is set on each connector.

If the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.

Check Content Reference

M

Target Key

4094

Comments