Tomcat server must be patched for security vulnerabilities.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-222996 | TCAT-AS-001470 | SV-222996r814096_rule | Medium |
| Description |
|---|
| Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk, the Tomcat administrator must ensure the system remains up to date on patches. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000456-AS-000266 |
| STIG | Date |
|---|---|
| Apache Tomcat Application Sever 9 Security Technical Implementation Guide | 2021-12-27 |
Details
| Check Text ( C-24668r814095_chk ) |
|---|
| Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities. As a privileged user from the Tomcat server, run the following command: sudo $CATALINA_HOME/bin/version.sh |grep -i server Compare the version running on the system to the latest secure version of Tomcat. Note: If TCAT-AS-000950 is compliant, users may need to leverage a different management interface. There is commonly a version.bat script in CATALINA_HOME/bin that will also output the current version of Tomcat. If the latest secure version of Tomcat is not installed, this is a finding. |
| Fix Text (F-24657r426433_fix) |
|---|
| Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers. Update the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified. |