Check: TCAT-AS-000840
Apache Tomcat 9 STIG:
TCAT-AS-000840
(in version v1 r0.1)
Title
Secured connectors must use FIPS 140-2-validated cipher algorithms. (Cat III impact)
Discussion
The HTTP protocol is not session oriented so application servers will use session IDs to track application user sessions. Unique session IDs address man-in-the-middle attacks, including session hijacking or insertion of false information into a session. If the attacker is unable to identify or guess the session information related to pending application traffic, they will have more difficulty in hijacking the session or otherwise manipulating valid sessions.
Check Content
From the Tomcat server console, run the following command: sudo grep -i fipsmode $CATALINA_HOME/conf/server.xml. If there are no results displayed or if FIPSMode is not set to FIPSMode="on", this is a finding.
Fix Text
From the Tomcat server as a privileged user: sudo nano $CATALINA_HOME/conf/server.xml. In the <Listener/> element, locate the AprLifecycleListener, either add or modify the FIPSMode setting and set it to FIPSMode="on". EXAMPLE: <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" FIPSMode="on" /> Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: TCAT-AS-000840_rule
Vulnerability ID: TCAT-AS-000840
Group Title: SRG-APP-000224-AS-000152
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |