STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Tomcat server must be patched for security vulnerabilities.

DISA Rule

SV-222996r615938_rule

Vulnerability Number

V-222996

Group Title

SRG-APP-000435-AS-000163

Rule Version

TCAT-AS-001470

Severity

CAT II

CCI(s)

CCI-002385 - The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards.
CCI-002605 - The organization installs security-relevant software updates within an organization-defined time period of the release of the updates.

Weight

Fix Recommendation

Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers.

Update the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified.

Check Contents

Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities.

As a privileged user from the Tomcat server, run the following command:

sudo $CATALINA_HOME/bin/version.sh |grep -i server

Compare the version running on the system to the latest secure version of Tomcat.

If the latest secure version of Tomcat is not installed, this is a finding.

Tomcat server must be patched for security vulnerabilities.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments