UCF STIG Viewer Logo

Clusters must operate on a trusted network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222974 TCAT-AS-000860 SV-222974r615938_rule Medium
Description
Operating a Tomcat cluster on an untrusted network creates potential for unauthorized persons to view or manipulate cluster session traffic. When operating a Tomcat cluster, care must be taken to isolate the cluster traffic from untrusted sources. Options include using a private VLAN, VPN, or IPSEC tunnel or by encrypting cluster traffic by using the EncryptInterceptor. The EncryptInterceptor adds encryption to the channel messages carrying session data between Tomcat cluster nodes. Place the <Cluster> element inside either the <Engine> container or the <Host> container. Placing it in the engine means supporting clustering in all virtual hosts of Tomcat and sharing the messaging component. When the user places the <Cluster> inside the <Engine> element, the cluster will append the host name of each session manager to the manager's name so that two contexts with the same name (but sitting inside two different hosts) will be distinguishable.
STIG Date
Apache Tomcat Application Sever 9 Security Technical Implementation Guide 2021-12-27

Details

Check Text ( C-24646r426366_chk )
Review System Security Plan (SSP) documentation determine if the Tomcat server is part of an application server cluster. Also identify Tomcat network interfaces and the proxy/load balancer that front-ends the cluster.

From the Tomcat server as a privileged user, run the following command:

sudo grep -i -A2 -B2 "Cluster" $CATALINA_BASE/conf/server.xml

If the element is commented out, or there are no results returned, this requirement is NA.

If a cluster is in use, run the following command as a privileged user:

grep -i EncryptInterceptor $CATALINA_BASE/conf/server.xml file.

If the Tomcat server is clustered and the EncryptionInterceptor is not in use or if the cluster traffic is not on a private network or VLAN, this is a finding.
Fix Text (F-24635r426367_fix)
Update the System Security Plan (SSP) and document the network interface, their related IP addresses, and which interfaces transport Tomcat cluster traffic. Also document which interface is multi-cast enabled if using the McastService membership class versus Static.

To obtain the information needed for the SSP:
sudo grep -i -A3 "
Document the address="" value.

Review the OS routing tables. Identify and document which interface is configured to route the Tomcat class D IP multicast traffic.

sudo netstat -r

END of Documentation instructions.

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file.

sudo nano $CATALINA_BASE/conf/server.xml

Locate the element nested within the element.

Add the to the server.xml and save the file.

Restart the Tomcat server:
sudo systemctl restart tomcat

NOTE:
The EncryptInterceptor adds encryption to the channel messages carrying session data between nodes. This feature was added in Tomcat 9.0.13. If using the TcpFailureDetector interceptor, the EncryptInterceptor must be inserted into the interceptor chain BEFORE the TcpFailureDetector. When validating cluster members, TcpFailureDetector writes channel data directly to the other members without using the remainder of the interceptor chain, but on the receiving side, the message still goes through the chain (in reverse). Because of this asymmetry, the EncryptInterceptor must execute before the TcpFailureDetector on the sender and after it on the receiver; otherwise, message corruption will occur.