Details
Symbolic links permit one application to include the libraries from another. This allows for re-use of code but also allows for potential security issues when applications include libraries from other applications to which they should not have access.
Rationale:
Allowing symbolic links makes Tomcat susceptible to directory traversal vulnerability. Also, there is a potential that an application could link to another application to which it should not be linking. On case-insensitive operating systems there is also the threat of source code disclosure.
Solution
In all context.xml, set the allowLinking attribute to false:
…
Default Value:
By default allowLinking has a value of false.
References:
https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html
https://tomcat.apache.org/tomcat-8.0-doc/config/context.html
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.