Do not allow cross context requests

Details

Setting crossContext to false prevents an application from calling ServletConext.getContext to return a dispatcher for another application.

Rationale:

Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.

Solution

Set the crossContext attribute in all context.xml files to false:

Default Value:

By default crossContext has a value of false.

References:

https://tomcat.apache.org/tomcat-8.0-doc/config/context.html

Supportive Information

The following resource is also helpful.

https://workbench.cisecurity.org/files/2506

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

800-53|AC-6(10)
CSCv7|4.7

Source

Tenable.com/audits

Updated on July 16, 2022

Was this article helpful?

Yes No

Details

Solution

Supportive Information

References

Source

Related Articles