STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The deployXML attribute must be set to false in hosted environments.

DISA Rule

SV-222955r615938_rule

Vulnerability Number

V-222955

Group Title

SRG-APP-000141-AS-000095

Rule Version

TCAT-AS-000530

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Document authorization for application auto deployment in the System Security Plan (SSP).

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml

Locate each <host> element in the server xml file.

If the deployXML="true" ensure each host is authorized for application auto deployment and document the authorization in the system security plan.

If authorization is not provided, set the deployXML="false".

Check Contents

If the SSP associated with the Host contains ISSM documented approvals for deployXML, this is not a finding.

From the Tomcat server as a privileged user:

sudo grep -i deployXML $CATALINA_BASE/conf/server.xml

If the deployXML setting is configured as true and there is no documented authorization to allow automatic deployment of applications, this is a finding.

Vulnerability Number

V-222955

Documentable

False

Rule Version

TCAT-AS-000530

Severity Override Guidance

If the SSP associated with the Host contains ISSM documented approvals for deployXML, this is not a finding.

From the Tomcat server as a privileged user:

sudo grep -i deployXML $CATALINA_BASE/conf/server.xml

If the deployXML setting is configured as true and there is no documented authorization to allow automatic deployment of applications, this is a finding.

Check Content Reference

M

Target Key

4094

Comments