STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

DefaultServlet directory listings parameter must be disabled.

DISA Rule

SV-222954r615938_rule

Vulnerability Number

V-222954

Group Title

SRG-APP-000141-AS-000095

Rule Version

TCAT-AS-000520

Severity

CAT III

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

From the Tomcat server as a privileged user:

Edit the $CATALINA_BASE/conf/web.xml file.

Examine the <init-param> elements within the <Servletclass> element, if the "listings" <param-value>element is "true" change the "listings" <param-value> to read "false".

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Check Contents

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet

The above command will include ten lines after and two lines before the occurrence of "defaultservlet". Some systems may require that the user increase the after number (A10) in order to determine the "listings" param-value.

If the "listings" param-value for the "DefaultServlet" servlet class does not = "false", this is a finding.

Vulnerability Number

V-222954

Documentable

False

Rule Version

TCAT-AS-000520

Severity Override Guidance

From the Tomcat server run the following OS command:

sudo cat $CATALINA_BASE/conf/web.xml |grep -i -A10 -B2 defaultservlet

The above command will include ten lines after and two lines before the occurrence of "defaultservlet". Some systems may require that the user increase the after number (A10) in order to determine the "listings" param-value.

If the "listings" param-value for the "DefaultServlet" servlet class does not = "false", this is a finding.

Check Content Reference

M

Target Key

4094

Comments