Check: TCAT-AS-001470
Apache Tomcat Application Server 9 STIG:
TCAT-AS-001470
(in versions v2 r7 through v2 r4)
Title
Tomcat server must be patched for security vulnerabilities. (Cat II impact)
Discussion
Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk, the Tomcat administrator must ensure the system remains up to date on patches. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000456-AS-000266
Check Content
Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities. As a privileged user from the Tomcat server, run the following command: sudo $CATALINA_HOME/bin/version.sh |grep -i server Compare the version running on the system to the latest secure version of Tomcat. Note: If TCAT-AS-000950 is compliant, users may need to leverage a different management interface. There is commonly a version.bat script in CATALINA_HOME/bin that will also output the current version of Tomcat. If the latest secure version of Tomcat is not installed, this is a finding.
Fix Text
Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers. Update the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified.
Additional Identifiers
Rule ID: SV-222996r879806_rule
Vulnerability ID: V-222996
Group Title: SRG-APP-000435-AS-000163
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
CCI-002605 |
The organization installs security-relevant software updates within an organization-defined time period of the release of the updates. |