UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Tomcat server must be patched for security vulnerabilities.


Overview

Finding ID Version Rule ID IA Controls Severity
V-222996 TCAT-AS-001470 SV-222996r879806_rule Medium
Description
Tomcat is constantly being updated to address newly discovered vulnerabilities, some of which include denial-of-service attacks. To address this risk, the Tomcat administrator must ensure the system remains up to date on patches. Satisfies: SRG-APP-000435-AS-000163, SRG-APP-000456-AS-000266
STIG Date
Apache Tomcat Application Server 9 Security Technical Implementation Guide 2023-12-18

Details

Check Text ( C-24668r850826_chk )
Refer to https://tomcat.apache.org/security-9.html and identify the latest secure version of Tomcat with no known vulnerabilities.

As a privileged user from the Tomcat server, run the following command:

sudo $CATALINA_HOME/bin/version.sh |grep -i server

Compare the version running on the system to the latest secure version of Tomcat.

Note: If TCAT-AS-000950 is compliant, users may need to leverage a different management interface. There is commonly a version.bat script in CATALINA_HOME/bin that will also output the current version of Tomcat.

If the latest secure version of Tomcat is not installed, this is a finding.
Fix Text (F-24657r426433_fix)
Follow operational procedures for upgrading Tomcat. Download latest version of Tomcat and install in a test environment. Test applications that are running in production and follow all operations best practices when upgrading the production Tomcat application servers.

Update the Tomcat production instance accordingly and ensure corrected builds are installed once tested and verified.