Check: TCAT-AS-000820
Apache Tomcat Application Server 9 STIG:
TCAT-AS-000820
(in versions v2 r7 through v1 r1)
Title
Tomcat must be configured to limit data exposure between applications. (Cat III impact)
Discussion
If RECYCLE_FACADES is true or if a security manager is in use, a new facade object will be created for each request. This reduces the chances that a bug in an application might expose data from one request to another. This setting is configured using environment variable settings. For Linux OS flavors other than Ubuntu, use the relevant OS commands. For Ubuntu, this setting can be managed in the /etc/systemd/system/tomcat.service file via the CATALINA_OPTS variable. This setting is defined in the file and referenced during tomcat startup in order to load tomcat environment variables. Technically, the tomcat.service referenced in the check and fix could be called a different name; but for STIG purposes and to provide a standard setting that can be referred to and obviously is used for Tomcat, tomcat.service was chosen.
Check Content
From the Tomcat server as a privileged user, run the following command: sudo grep -i recycle_facades /etc/systemd/system/tomcat.service If there are no results, or if the org.apache.catalina.connector. RECYCLE_FACADES is not ="true", this is a finding.
Fix Text
From the Tomcat server as a privileged user: edit the /etc/systemd/system/tomcat.service file and either add or edit the org.apache.catalina.connector. RECYCLE_FACADES setting. Set the org.apache.catalina.connector. RECYCLE_FACADES=true. EXAMPLE: Environment='CATALINA_OPTS -Dorg.apache.catalina.connector. RECYCLE_FACADES=true' Restart the Tomcat server: sudo systemctl restart tomcat sudo systemctl daemon-reload
Additional Identifiers
Rule ID: SV-222973r879638_rule
Vulnerability ID: V-222973
Group Title: SRG-APP-000223-AS-000150
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001664 |
The information system recognizes only session identifiers that are system-generated. |
Controls
Number | Title |
---|---|
SC-23 (3) |
Unique Session Identifiers With Randomization |