Check: TCAT-AS-000570
Apache Tomcat 9 STIG:
TCAT-AS-000570
(in version v1 r0.1)
Title
Tomcat default ROOT web application must be removed. (Cat III impact)
Discussion
The default ROOT web application includes the version of Tomcat that is being used, links to Tomcat documentation, examples, FAQs, and mailing lists. The default ROOT web application must be removed from a publicly accessible Tomcat instance and a more appropriate default page shown to users. It is acceptable to replace the contents of default ROOT with a new default web application.
Check Content
From the Tomcat server OS type the following command: sudo ls -l $CATALINA_HOME/webapps/ROOT Review the index.jsp file also review the RELEASE-NOTES.txt file. Look for content that describes the application as being licensed by the Apache Software Foundation. Check the index.jsp for other verbiage that indicates the application is part of the Tomcat server. Alternatively, use a web browser and access the default web application and make the determination if the web site application in the ROOT folder is provided with the Apache Tomcat server. If the ROOT web application contains Tomcat default application content, this is a finding.
Fix Text
From the Tomcat server OS: Either remove the files contained in $CATALINA_HOME/webapps/ROOT folder or replace the content of the folder with a new application that serves as the new default server application.
Additional Identifiers
Rule ID: TCAT-AS-000570_rule
Vulnerability ID: TCAT-AS-000570
Group Title: SRG-APP-000141-AS-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
Controls
Number | Title |
---|---|
CM-7 |
Least Functionality |