Check: TCAT-AS-000020
Apache Tomcat 9 STIG:
TCAT-AS-000020
(in version v1 r0.1)
Title
Secured connectors must be configured to use strong encryption ciphers. (Cat II impact)
Discussion
The Tomcat element controls the SSL/TLS protocol and the associated ciphers used. If a strong cipher is not selected, an attacker may be able to circumvent encryption protections that are configured for the connector. Strong ciphers must be employed when configuring a secured connector. The configuration attribute and its values depend on what HTTPS implementation the user is utilizing. The user may be utilizing either Java-based implementation (aka JSSE) with BIO and NIO connectors or OpenSSL-based implementation with APR connector. false
Check Content
From the Tomcat server console, run the following command: sudo grep -i ciphers $CATALINA_HOME/conf/server.xml. Examine each <Connector> statement that is not a redirect to a secure port. If insecure ciphers are specified, this is a finding.
Fix Text
As a privileged user on the Tomcat server, edit the $CATALINA_HOME/conf/server.xml and modify the <Connector> …</Connector> element. Add the "SSLEnabledProtocols=" flag to the connector or modify the existing flag. Set SSLEnabledProtocols="TLS1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
Additional Identifiers
Rule ID: TCAT-AS-000020_rule
Vulnerability ID: TCAT-AS-000020
Group Title: SRG-APP-000014-AS-000009
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |