STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

DefaultServlet must be set to readonly for PUT and DELETE.

DISA Rule

SV-222934r615938_rule

Vulnerability Number

V-222934

Group Title

SRG-APP-000033-AS-000024

Rule Version

TCAT-AS-000090

Severity

CAT II

CCI(s)

• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Weight

10

Fix Recommendation

From the Tomcat server console as a privileged user:

Edit the $CATALINA_BASE/conf/web.xml file.

If the "readonly" param-value does not exist, it must be created.

Ensure the "readonly" param-value for the "DefaultServlet" servlet class = "true".

Check Contents

From the Tomcat server run the following command:

sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A5 -B2 defaultservlet

If the "readonly" param-value for the "DefaultServlet" servlet class = "false" or does not exist, this is a finding.

Vulnerability Number

V-222934

Documentable

False

Rule Version

TCAT-AS-000090

Severity Override Guidance

From the Tomcat server run the following command:

sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A5 -B2 defaultservlet

If the "readonly" param-value for the "DefaultServlet" servlet class = "false" or does not exist, this is a finding.

Check Content Reference

M

Target Key

4094

Comments