STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Unapproved connectors must be disabled.

DISA Rule

SV-222952r615938_rule

Vulnerability Number

V-222952

Group Title

SRG-APP-000141-AS-000095

Rule Version

TCAT-AS-000500

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Obtain ISSO approvals for the configured connectors and document in the SSP.

Alternatively, edit the $CATALINA_BASE/conf/server.xml file, remove any unapproved connectors, and restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

Review SSP for list of approved connectors and associated TCP/IP ports. Ensure only approved connectors are present. Execute the following command on the Tomcat server to find configured Connectors:

$ grep “Connector” $CATALINA_BASE/conf/server.xml

Review results and verify all connectors and their associated network ports are approved in the SSP.

If connectors are found but are not approved in the SSP, this is a finding.

Vulnerability Number

V-222952

Documentable

False

Rule Version

TCAT-AS-000500

Severity Override Guidance

Review SSP for list of approved connectors and associated TCP/IP ports. Ensure only approved connectors are present. Execute the following command on the Tomcat server to find configured Connectors:

$ grep “Connector” $CATALINA_BASE/conf/server.xml

Review results and verify all connectors and their associated network ports are approved in the SSP.

If connectors are found but are not approved in the SSP, this is a finding.

Check Content Reference

M

Target Key

4094

Comments