Check: TCAT-AS-000040
Apache Tomcat 9 STIG:
TCAT-AS-000040
(in version v1 r0.1)
Title
TLS 1.2 must be used on secured HTTP connectors. (Cat II impact)
Discussion
Using older versions of TLS introduces security vulnerabilities that exist in the older versions of the protocol. Tomcat by default will use all available versions of the SSL/TLS protocols unless the version is explicitly defined in the SSL configuration attribute for the associated connector. This introduces the opportunity for the client to negotiate the use of an older protocol version and increases the risk of compromise of the Tomcat server. All connectors must use TLS 1.2.
Check Content
From the Tomcat server console, run the following command: sudo cat $CATALINA_HOME/conf/server.xml. Examine each <Connector> </Connector> statement. For every HTTP protocol connector: Verify the SSLEnabledProtocols="TLSv1.2" flag is set on each connector. If the SSLEnabledProtocols setting is not set to TLSv1.2 or greater, this is a finding.
Fix Text
As a privileged user on the Tomcat server, edit the $CATALINA_HOME/conf/server.xml and modify the <Connector> …</Connector> element. Add the "SSLEnabledProtocols=" flag to the connector or modify the existing flag. Set SSLEnabledProtocols="TLS1.2". Save the server.xml file and restart Tomcat: sudo systemctl restart tomcat sudo systemctl reload-daemon
Additional Identifiers
Rule ID: TCAT-AS-000040_rule
Vulnerability ID: TCAT-AS-000040
Group Title: SRG-APP-000015-AS-000010
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |