| V-88909 | High | tc Server ALL must exclude documentation, sample code, example applications, and tutorials. | Web server documentation, sample code, example applications, and tutorials may be an exploitable threat to a web server because this type of code has not been evaluated and approved. A production... |
| V-89105 | High | tc Server CaSa must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-89107 | High | tc Server API must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-89103 | High | tc Server UI must set sslEnabledProtocols to an approved Transport Layer Security (TLS) version. | Transport Layer Security (TLS) is a required transmission protocol for a web server hosting controlled information. The use of TLS provides confidentiality of data in transit between the web... |
| V-89029 | High | tc Server ALL must be configured to the correct user authentication source. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-88933 | High | tc Server CaSa must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web... |
| V-88931 | High | tc Server UI must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web... |
| V-88935 | High | tc Server API must not have any symbolic links in the web content directory tree. | A web server is designed to deliver content and execute scripts or applications on the request of a client or user. Containing user requests to files in the directory tree of the hosted web... |
| V-88961 | High | tc Server UI accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-88963 | High | tc Server CaSa accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-88965 | High | tc Server API accounts accessing the directory tree, the shell, or other operating system functions and utilities must be administrative accounts. | As a rule, accounts on a web server are to be kept to a minimum. Only administrators, web managers, developers, auditors, and web authors require accounts on the machine hosting the web server.... |
| V-88967 | High | tc Server UI web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-88969 | High | tc Server CaSa web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-88971 | High | tc Server API web server application directories must not be accessible to anonymous user. | In order to properly monitor the changes to the web server and the hosted applications, logging must be enabled. Along with logging being enabled, each record must properly contain the changes... |
| V-88865 | Medium | tc Server CaSa must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88867 | Medium | tc Server API must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88861 | Medium | tc Server API must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-88863 | Medium | tc Server UI must produce log records that contain sufficient information to establish the outcome (success or failure) of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88903 | Medium | tc Server CaSa must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-88901 | Medium | tc Server UI must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-88907 | Medium | tc Server ALL must only contain services and functions necessary for operation. | A web server can provide many features, services, and processes. Some of these may be deemed unnecessary or too unsecure to run on a production DoD system.
The web server must provide the... |
| V-88869 | Medium | tc Server UI must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88905 | Medium | tc Server API must not use the tomcat-users XML database for user management. | User management and authentication can be an essential part of any application hosted by the web server. Along with authenticating users, the user management function must perform several other... |
| V-89075 | Medium | tc Server CaSa must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89077 | Medium | tc Server API must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89071 | Medium | tc Server API must use NSA Suite A cryptography when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-88795 | Medium | tc Server CaSa must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-89073 | Medium | tc Server UI must disable the shutdown port. | An attacker has at least two reasons to stop a web server. The first is to cause a DoS, and the second is to put in place changes the attacker made to the web server configuration.
As a Tomcat... |
| V-89079 | Medium | tc Server UI must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-88851 | Medium | tc Server UI must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88919 | Medium | tc Server CaSa must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-88853 | Medium | tc Server CaSa must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88855 | Medium | tc Server API must produce log records containing sufficient information to establish the source of events. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88857 | Medium | tc Server UI must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining the... |
| V-88859 | Medium | tc Server CaSa must be configured with the RemoteIpValve in order to produce log records containing the client IP information as the source and destination and not the load balancer or proxy IP information with each event. | tc Server HORIZON logging capability is critical for accurate forensic analysis. Without sufficient and accurate information, a correct replay of the events cannot be determined.
Ascertaining... |
| V-88911 | Medium | tc Server ALL must exclude installation of utility programs, services, plug-ins, and modules not necessary for operation. | Just as running unneeded services and protocols is a danger to the web server at the lower levels of the OSI model, running unneeded utilities and programs is also a danger at the application... |
| V-88913 | Medium | tc Server ALL must have Multipurpose Internet Mail Extensions (MIME) that invoke OS shell programs disabled. | Controlling what a user of a hosted application can access is part of the security posture of the web server. Any time a user can access more functionality than is needed for the operation of the... |
| V-88915 | Medium | tc Server ALL must have all mappings to unused and vulnerable scripts to be removed. | Scripts allow server side processing on behalf of the hosted application user or as processes needed in the implementation of hosted applications. Removing scripts not needed for application... |
| V-88917 | Medium | tc Server UI must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-89045 | Medium | tc Server CaSa must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-89041 | Medium | tc Server ALL must use a logging mechanism that is configured to provide a warning to the ISSO and SA when allocated record storage volume reaches 75% of maximum log record storage capacity. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process logs as required. Log processing failures include: software/hardware errors, failures in the... |
| V-88775 | Medium | tc Server UI must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include... |
| V-89043 | Medium | tc Server UI must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-88777 | Medium | tc Server CaSa must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include... |
| V-88987 | Medium | tc Server UI must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-89047 | Medium | tc Server API must generate log records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT). | If time stamps are not consistently applied and there is no common time reference, it is difficult to perform forensic analysis across multiple devices and log records.
Time stamps generated by... |
| V-88985 | Medium | tc Server API document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-89049 | Medium | tc Server UI must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-88989 | Medium | tc Server CaSa must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-88779 | Medium | tc Server API must limit the number of maximum concurrent connections permitted. | Resource exhaustion can occur when an unlimited number of concurrent requests are allowed on a website, facilitating a denial-of-service attack. Mitigating this kind of attack will include... |
| V-88849 | Medium | tc Server API must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88847 | Medium | tc Server CaSa must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88845 | Medium | tc Server UI must produce log records containing sufficient information to establish where within the web server the events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88843 | Medium | tc Server API must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-88841 | Medium | tc Server CaSa must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-89119 | Medium | tc Server API must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-89117 | Medium | tc Server CaSa must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-89115 | Medium | tc Server UI must use approved Transport Layer Security (TLS) versions to maintain the confidentiality and integrity of information during reception. | Information can be either unintentionally or maliciously disclosed or modified during reception, including, for example, during aggregation, at protocol transformation points, and during... |
| V-89113 | Medium | tc Server API must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply... |
| V-89111 | Medium | tc Server CaSa must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply... |
| V-88991 | Medium | tc Server API must be configured with a cross-site scripting (XSS) filter. | Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other... |
| V-88993 | Medium | tc Server UI must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-88995 | Medium | tc Server CaSa must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-89059 | Medium | tc Server API application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-88999 | Medium | tc Server UI must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-89055 | Medium | tc Server UI application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-89053 | Medium | tc Server API must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-89051 | Medium | tc Server CaSa must record time stamps for log records to a minimum granularity of one second. | Without sufficient granularity of time stamps, it is not possible to adequately determine the chronological order of records.
Time stamps generated by the web server include date and time and... |
| V-88793 | Medium | tc Server UI must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-88839 | Medium | tc Server UI must produce log records containing sufficient information to establish when (date and time) events occurred. | After a security incident has occurred, investigators will often review log files to determine when events occurred. Understanding the precise sequence of events is critical for investigation of a... |
| V-88791 | Medium | tc Server API must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-88833 | Medium | tc Server UI must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-88831 | Medium | tc Server API must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88837 | Medium | tc Server API must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-88835 | Medium | tc Server CaSa must produce log records containing sufficient information to establish what type of events occurred. | After a security incident has occurred, investigators will often review log files to determine what happened. Understanding what type of event occurred is critical for investigation of a... |
| V-88797 | Medium | tc Server API must perform server-side session management. | Cookies are a common way to save session state over the HTTP(S) protocol. If an attacker can compromise session data stored in a cookie, they are better able to launch an attack against the server... |
| V-88983 | Medium | tc Server CaSa document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-89109 | Medium | tc Server UI must remove all export ciphers to protect the confidentiality and integrity of transmitted information. | During the initial setup of a Transport Layer Security (TLS) connection to the web server, the client sends a list of supported cipher suites in order of preference. The web server will reply... |
| V-89101 | Medium | tc Server API must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-89023 | Medium | tc Server UI must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89021 | Medium | tc Server API must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89027 | Medium | tc Server API must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-89025 | Medium | tc Server CaSa must set an inactive timeout for sessions. | Leaving sessions open indefinitely is a major security risk. An attacker can easily use an already authenticated session to access the hosted application as the previously authenticated user. By... |
| V-88925 | Medium | tc Server UI must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will... |
| V-88927 | Medium | tc Server CaSa must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will... |
| V-88921 | Medium | tc Server API must have mappings set for Java Servlet Pages. | Resource mapping is the process of tying a particular file type to a process in the web server that can serve that type of file to a requesting client and to identify which file types are not to... |
| V-88923 | Medium | tc Server ALL must not have the Web Distributed Authoring (WebDAV) servlet installed. | A web server can be installed with functionality that, just by its nature, is not secure. Web Distributed Authoring (WebDAV) is an extension to the HTTP protocol that, when developed, was meant to... |
| V-88929 | Medium | tc Server API must be configured with memory leak protection. | The Java Runtime environment can cause a memory leak or lock files under certain conditions. Without memory leak protection, tc Server HORIZON can continue to consume system resources which will... |
| V-88881 | Medium | tc Server API log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-88947 | Medium | tc Server API must encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-88829 | Medium | tc Server CaSa must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88945 | Medium | tc Server CaSa must encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-88943 | Medium | tc Server UI must encrypt passwords during transmission. | Data used to authenticate, especially passwords, needs to be protected at all times, and encryption is the standard method for protecting authentication data during transmission. Data used to... |
| V-88941 | Medium | tc Server API must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-88821 | Medium | tc Server CaSa must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-88823 | Medium | tc Server API must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-88825 | Medium | tc Server ALL must initiate logging during service start-up. | An attacker can compromise a web server during the startup process. If logging is not initiated until all the web server processes are started, key information may be missed and not available... |
| V-88949 | Medium | tc Server ALL must validate client certificates, to include all intermediary CAs, to ensure the client-presented certificates are valid and that the entire trust chain is valid. If PKI is not being used, this check is Not Applicable. | The DoD standard for authentication is DoD-approved PKI certificates. A certificate’s certification path is the path from the end entity certificate to a trusted root certification authority (CA).... |
| V-88827 | Medium | tc Server UI must capture, record, and log all content related to a user session. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88789 | Medium | tc Server CaSa must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-88875 | Medium | tc Server ALL must use a logging mechanism that is configured to alert the ISSO and SA in the event of a processing failure. | Reviewing log data allows an investigator to recreate the path of an attacker and to capture forensic data for later use. Log data is also essential to system administrators in their daily... |
| V-89039 | Medium | tc Server ALL log files must be moved to a permanent repository in accordance with site policy. | A web server will typically utilize logging mechanisms for maintaining a historical log of activity that occurs within a hosted application. This information can then be used for diagnostic... |
| V-89031 | Medium | tc Server UI must be configured to use the https scheme. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89033 | Medium | tc Server CaSa must be configured to use the https scheme. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-89035 | Medium | tc Server API must be configured to use the https scheme. | Remote access to the web server is any access that communicates through an external, non-organization-controlled network. Remote access can be used to access hosted applications or to perform... |
| V-88981 | Medium | tc Server UI document directory must be in a separate partition from the web servers system files. | A web server is used to deliver content on the request of a client. The content delivered to a client must be controlled, allowing only hosted application files to be accessed and delivered. To... |
| V-89037 | Medium | tc Server ALL must use a logging mechanism that is configured to allocate log record storage capacity large enough to accommodate the logging requirements of the web server. | In order to make certain that the logging mechanism used by the web server has sufficient storage capacity in which to write the logs, the logging mechanism needs to be able to allocate log record... |
| V-88937 | Medium | tc Server UI must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-88939 | Medium | tc Server CaSa must be configured to use a specified IP address and port. | The web server must be configured to listen on a specified IP address and port. Without specifying an IP address and port for the web server to utilize, the web server will listen on all IP... |
| V-88955 | Medium | tc Server UI must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-88957 | Medium | tc Server CaSa must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-89089 | Medium | tc Server API session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-88951 | Medium | tc Server ALL must only allow authenticated system administrators to have access to the keystore. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and... |
| V-88953 | Medium | tc Server ALL must only allow authenticated system administrators to have access to the truststore. | The web server's private key is used to prove the identity of the server to clients and securely exchange the shared secret key used to encrypt communications between the web server and... |
| V-89085 | Medium | tc Server UI session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-89087 | Medium | tc Server CaSa session IDs must be sent to the client using SSL/TLS. | The HTTP protocol is a stateless protocol. To maintain a session, a session identifier is used. The session identifier is a piece of data that is used to identify a session and a user. If the... |
| V-89081 | Medium | tc Server CaSa must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-88959 | Medium | tc Server API must use cryptographic modules that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance when authenticating users and processes. | Encryption is only as good as the encryption modules utilized. Unapproved cryptographic module algorithms cannot be verified and cannot be relied upon to provide confidentiality or integrity, and... |
| V-89083 | Medium | tc Server API must employ cryptographic mechanisms (TLS/DTLS/SSL) preventing the unauthorized disclosure of information during transmission. | Preventing the disclosure of transmitted information requires that the web server take measures to employ some form of cryptographic mechanism in order to protect the information during... |
| V-89005 | Medium | tc Server UI must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-89007 | Medium | tc Server CaSa must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-89001 | Medium | tc Server CaSa must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-89003 | Medium | tc Server API must use the setCharacterEncodingFilter filter. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-89009 | Medium | tc Server API must set the welcome-file node to a default web page. | The goal is to completely control the web user's experience in navigating any portion of the web document root directories. Ensuring all web content directories have at least the equivalent of an... |
| V-89099 | Medium | tc Server CaSa must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-88785 | Medium | tc Server API must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89093 | Medium | tc Server CaSa must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-88787 | Medium | tc Server UI must limit the number of times that each TCP connection is kept alive. | KeepAlive provides long-lived HTTP sessions that allow multiple requests to be sent over the same connection. Enabling KeepAlive mitigates the effects of several types of denial-of-service... |
| V-89091 | Medium | tc Server UI must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-88781 | Medium | tc Server UI must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89097 | Medium | tc Server UI must set the secure flag for cookies. | Cookies can be sent to a client using TLS/SSL to encrypt the cookies, but TLS/SSL is not used by every hosted application since the data being displayed does not require the encryption of the... |
| V-88783 | Medium | tc Server CaSa must limit the amount of time that each TCP connection is kept alive. | Denial of Service is one threat against web servers. Many DoS attacks attempt to consume web server resources in such a way that no more resources are available to satisfy legitimate requests.... |
| V-89095 | Medium | tc Server API must set the useHttpOnly parameter. | A cookie can be read by client-side scripts easily if cookie properties are not set properly. By allowing cookies to be read by the client-side scripts, information such as session identifiers... |
| V-89013 | Medium | tc Server CaSa must have the allowTrace parameter set to false. | Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web... |
| V-89011 | Medium | tc Server UI must have the allowTrace parameter set to false. | Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web... |
| V-89017 | Medium | tc Server UI must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89015 | Medium | tc Server API must have the allowTrace parameter set to false. | Web servers will often display error messages to client users displaying enough information to aid in the debugging of the error. The information given back in error messages may display the web... |
| V-89019 | Medium | tc Server CaSa must have the debug option turned off. | Information needed by an attacker to begin looking for possible vulnerabilities in a web server includes any information about the web server and plug-ins or modules being used. When debugging or... |
| V-89123 | Medium | tc Server ALL must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including STIGs, NSA configuration guides, CTOs, and DTMs. | Configuring the web server to implement organization-wide security implementation guides and security checklists guarantees compliance with federal standards and establishes a common security... |
| V-88899 | Medium | tc Server ALL expansion modules must be fully reviewed, tested, and signed before they can exist on a production web server. | In the case of a production web server, areas for content development and testing will not exist, as this type of content is only permissible on a development website. The process of developing on... |
| V-88895 | Medium | tc Server ALL log data and records must be backed up onto a different system or media. | Protection of tc Server ALL log data includes assuring log data is not accidentally lost or deleted. Backing up tc Server ALL log records to an unrelated system or onto separate media than the... |
| V-88897 | Medium | tc Server ALL server files must be verified for their integrity (e.g., checksums and hashes) before becoming part of the production web server. | Being able to verify that a patch, upgrade, certificate, etc., being added to the web server is unchanged from the producer of the file is essential for file validation and non-repudiation of the... |
| V-89121 | Medium | tc Server ALL must have all security-relevant software updates installed within the configured time period directed by an authoritative source. | Security flaws with software applications are discovered daily. Vendors are constantly updating and patching their products to address newly discovered security vulnerabilities. Organizations... |
| V-88891 | Medium | tc Server CaSa log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-88893 | Medium | tc Server API log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-88815 | Medium | tc Server API must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-88817 | Medium | tc Server ALL must generate log records for system startup and shutdown. | Logging must be started as soon as possible when a service starts and when a service is stopped. Many forms of suspicious actions can be detected by analyzing logs for unexpected service starts... |
| V-88811 | Medium | tc Server UI must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-88813 | Medium | tc Server CaSa must record user access in a format that enables monitoring of remote access. | Remote access can be exploited by an attacker to compromise the server. By recording all remote access activities, it will be possible to determine the attacker's location, intent, and degree of... |
| V-88819 | Medium | tc Server UI must generate log records for user access and authentication events. | Log records can be generated from various components within the web server (e.g., httpd, plug-ins to external backends, etc.). From a web server perspective, certain specific web server... |
| V-88877 | Medium | tc Server UI log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-88799 | Medium | tc Server UI must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can... |
| V-88873 | Medium | tc Server API must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88871 | Medium | tc Server CaSa must produce log records containing sufficient information to establish the identity of any user/subject or process associated with an event. | After a security incident has occurred, investigators will often review log files to determine what happened. tc Server HORIZON must create a log entry when a user accesses the system and the... |
| V-88979 | Medium | tc Server API must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-88977 | Medium | tc Server CaSa must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-88975 | Medium | tc Server UI must be built to fail to a known safe state if system initialization fails, shutdown fails, or aborts fail. | Determining a safe state for failure and weighing that against a potential DoS for users depends on what type of application the web server is hosting. For an application presenting publicly... |
| V-88973 | Medium | tc Server ALL baseline must be documented and maintained. | Making certain that the web server has not been updated by an unauthorized user is always a concern. Adding patches, functions, and modules that are untested and not part of the baseline opens the... |
| V-88879 | Medium | tc Server CaSa log files must only be accessible by privileged users. | Log data is essential in the investigation of events. If log data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system... |
| V-88805 | Medium | tc Server UI must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89067 | Medium | tc Server UI must use NSA Suite A cryptography when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-89065 | Medium | tc Server API must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-88889 | Medium | tc Server UI log files must be protected from unauthorized deletion. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-89063 | Medium | tc Server CaSa must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-89061 | Medium | tc Server UI must be configured with the appropriate ports. | Web servers provide numerous processes, features, and functionalities that utilize TCP/IP ports. Some of these processes may be deemed unnecessary or too unsecure to run on a production system.... |
| V-88883 | Medium | tc Server UI log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-88997 | Medium | tc Server API must set URIEncoding to UTF-8. | Invalid user input occurs when a user inserts data or characters into a hosted application's data entry field and the hosted application is unprepared to process that data. This results in... |
| V-88887 | Medium | tc Server API log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-89069 | Medium | tc Server CaSa must use NSA Suite A cryptography when encrypting data that must be compartmentalized. | Cryptography is only as strong as the encryption modules/algorithms employed to encrypt the data.
Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to... |
| V-88885 | Medium | tc Server CaSa log files must be protected from unauthorized modification. | Log data is essential in the investigation of events. The accuracy of the information is always pertinent. Information that is not accurate does not help in the revealing of potential security... |
| V-88803 | Medium | tc Server API must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can... |
| V-88801 | Medium | tc Server CaSa must be configured with FIPS 140-2 compliant ciphers for HTTPS connections. | Encryption of data-in-flight is an essential element of protecting information confidentiality. If a web server uses weak or outdated encryption algorithms, then the server's communications can... |
| V-88807 | Medium | tc Server CaSa must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
| V-89057 | Medium | tc Server CaSa application, libraries, and configuration files must only be accessible to privileged users. | A web server can be modified through parameter modification, patch installation, upgrades to the web server or modules, and security parameter changes. With each of these changes, there is the... |
| V-88809 | Medium | tc Server API must use cryptography to protect the integrity of remote sessions. | Data exchanged between the user and the web server can range from static display data to credentials used to log into the hosted application. Even when data appears to be static, the non-displayed... |
