Information
Both Fragments and annotations give rise to security concerns. web.xml contains a metadata-complete attribute in the web-app element whose binary value defines whether other sources of metadata should be considered when deploying this web application, this includes annotations on class files (@WebServlet, but also @WebListener, @WebFilter, ), web-fragment.xml as well as classes located in WEB-INF/classes. In addition, Tomcat 7 could allow you to log the effective web.xml, when an application starts, and the effective web.xml is the result of taking the main web.xml for your application merging in all the fragments applying all the annotations. By logging that you are able to review it, and see if that is in fact what you actually want.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
1. Set the metadata-complete value in the web.xml in each of applications to true, the web.xml contains a metadata-complete attribute in the web-app element whose binary value defines whether other sources of metadata should be considered when deploying this web application, this includes annotations on class files (@WebServlet, but also @WebListener, @WebFilter, ...), web-fragment.xml as well as classes located in WEB-INF/classes. If set to true, all of these will be ignored and web.xml is the only metadata considered.
NOTE: The metadata-complete option is not enough to disable all of annotation scanning. If there is a ServletContainerInitializer with a @HandlesTypes annotation, Tomcat has to scan your application for classes that use annotations or interfaces specified in that annotation.
2. Set the logEffectiveWebXml value in the context.xml in each of applications to true.