STIGQter: STIG Summary: Apache Tomcat Application Sever 9 Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

Access to JMX management interface must be restricted.

DISA Rule

SV-222969r615938_rule

Vulnerability Number

V-222969

Group Title

SRG-APP-000211-AS-000146

Rule Version

TCAT-AS-000780

Severity

CAT II

CCI(s)

• CCI-001082 - The information system separates user functionality (including user interface services) from information system management functionality.

Weight

10

Fix Recommendation

Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information.

Edit the /etc/systemd/system/tomcat.service file.

Add or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network.

EXAMPLE:
CATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150'

Restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Verify jmxmanagement access is restricted to the management network IP address range.

Check Contents

Review the system security plan and network documentation. Identify the management networks that are used for system management.

From the Tomcat server as a privileged user, run the following command:

sudo grep -i jmxremote /etc/systemd/system/tomcat.service
sudo ps -ef |grep -i jmxremote

If there are no results, the JMX process is not being used, and this is not a finding.

If output includes jmxremote information, review the -Dcom.sun.management.jmxremote.host setting.

Compare the IP address associated with the JMX process with the network information in the SSP. Ensure the IP address space is dedicated for system management purposes.

If the IP address that is associated with the JMX process is not dedicated to system management usage, this is a finding.

If jmxremote is in use but the host IP address is not specified, this is a finding.

Vulnerability Number

V-222969

Documentable

False

Rule Version

TCAT-AS-000780

Severity Override Guidance

Review the system security plan and network documentation. Identify the management networks that are used for system management.

From the Tomcat server as a privileged user, run the following command:

sudo grep -i jmxremote /etc/systemd/system/tomcat.service
sudo ps -ef |grep -i jmxremote

If there are no results, the JMX process is not being used, and this is not a finding.

If output includes jmxremote information, review the -Dcom.sun.management.jmxremote.host setting.

Compare the IP address associated with the JMX process with the network information in the SSP. Ensure the IP address space is dedicated for system management purposes.

If the IP address that is associated with the JMX process is not dedicated to system management usage, this is a finding.

If jmxremote is in use but the host IP address is not specified, this is a finding.

Check Content Reference

M

Target Key

4094

Comments