Details
The default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is best to remove these connectors and enable only what is needed.
Rationale:
Improperly configured or unnecessarily installed Connectors may lead to a security exposure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Within the $CATALINA_HOME/conf/server.xml, remove, or comment out, every unused Connectors. For example, to disable an instance of the HTTPConnector, remove the following:
connectionTimeout=’60000’/>
Default Value:
$CATALINA_HOME/conf/server.xml, has the following connectors defined by default:
A non-SSL HTTP Connector bound to port 8080
An AJP Connector bound to port 8009
References:
https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Connectors
https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Connectors
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.