Check: TCAT-AS-000680
Apache Tomcat 9 STIG:
TCAT-AS-000680
(in version v1 r0.1)
Title
TLS 1.2 must be used on secured connectors. (Cat II impact)
Discussion
Encryption is the standard method for protecting data during transmission. If data is not encrypted with a secure protocol such as TLS 1.2, the data can be plainly read (i.e., clear text) and easily compromised. Versions of TLS 1.1 and SSL versions have known vulnerabilities and must not be used.
Check Content
From the Tomcat server console, run the following command: sudo cat $CATALINA_HOME/conf/server.xml. Examine each <Connector> </Connector> statement. For every HTTP protocol connector, verify the SSLEnabledProtocols="TLSv1.2" flag is set on each connector. If the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.
Fix Text
As a privileged user on the Tomcat server, edit the $CATALINA_HOME/conf/server.xml and modify the <Connector> …</Connector> element. Add the "SSLEnabledProtocols=" flag to the connector or modify the existing flag. Set SSLEnabledProtocols="TLS1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
Additional Identifiers
Rule ID: TCAT-AS-000680_rule
Vulnerability ID: TCAT-AS-000680
Group Title: SRG-APP-000172-AS-000120
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
Controls
Number | Title |
---|---|
IA-5 (1) |
Password-Based Authentication |