ALLOW_BACKSLASH must be set to false.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-223004 | TCAT-AS-001680 | SV-223004r961863_rule | CCI-000366 | medium |
| Description | ||||
| When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '\' character will be permitted as a path delimiter. The default value for the setting is false but Tomcat should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. In order to accommodate a non-compliant client, any deviation from the STIG setting must be approved by the ISSO. | ||||
| STIG | Date | |||
| Apache Tomcat Application Server 9 Security Technical Implementation Guide | 2025-02-11 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-6
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.4.1
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.4.2
1.00
- DISA · 3 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000366
1.00
- DISA · 3 · disa_xccdf · related
Details
Check Text (C-223004r961863_chk)
If the ISSO has accepted the risk for enabling the ALLOW_BACKSLASH setting, this requirement is NA.
From the Tomcat server as an elevated user, run the following command:
sudo grep -i ALLOW_BACKSLASH $CATALINA_BASE/conf/catalina.properties
sudo grep -i catalina_opts /etc/systemd/system/tomcat.service
If org.apache.catalina.connector. ALLOW_BACKSLASH=true, this is a finding.
Fix Text (F-24665r426457_fix)
As a privileged user on the Tomcat server:
If the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file.
sudo nano $CATALINA_BASE/conf/catalina.properties
Change the org.apache.catalina.connector.ALLOW_BACKSLASH=true setting to =false.
If the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor.
sudo nano /etc/systemd/services/tomcat.service
Locate the "Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connectorALLOW_BACKSLASH=true setting to =false.
Restart Tomcat by running the following commands:
sudo systemctl restart tomcat
sudo systemctl daemon-reload