Check: TCAT-AS-000090
Apache Tomcat 9 STIG:
TCAT-AS-000090
(in version v1 r0.1)
Title
DefaultServlet must be set to readonly for PUT and DELETE. (Cat II impact)
Discussion
The Default servlet (or DefaultServlet) is a special servlet provided with Tomcat, which is called when no other suitable page is found in a particular folder. The DefaultServlet serves static resources as well as directory listings. The DefaultServlet is declared globally in $CATALINA_BASE/conf/web.xml and by default is configured with the "readonly" parameter set to true where HTTP commands like PUT and DELETE are rejected. Changing this to false allows clients to delete or modify static resources on the server and to upload new resources. DefaultServlet readonly must be set to true.
Check Content
From the Tomcat server run the following command: sudo cat $CATALINA_HOME/conf/web.xml |grep -i -A5 -B2 defaultservlet If the "readonly" param-value does not exist, this is not a finding. If the "readonly" param-value for the "DefaultServlet" servlet class = "false", this is a finding.
Fix Text
From the Tomcat server console as a privileged user: Edit the $CATALINA_HOME/conf/web.xml file. If the "readonly" param-value does not exist, it must be created. Change the "readonly" param-value for the "DefaultServlet" servlet class = "true".
Additional Identifiers
Rule ID: TCAT-AS-000090_rule
Vulnerability ID: TCAT-AS-000090
Group Title: SRG-APP-000033-AS-000024
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |