10.9 Do not allow custom header status messages

Information

Being able to specify custom status messages opens up the possibility for additional headers to be injected. If custom header status messages are required, make sure it is only in US-ASCII and does not include any user-supplied data.

Solution

Start Tomcat with USE_CUSTOM_STATUS_MSG_IN_HEADER set to false. Add the following to your startup script.
-Dorg.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER=false

See Also

https://workbench.cisecurity.org/files/266

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-30(5)

Plugin: Unix

Control ID: ef6e5a5d2653e8fb43fd688df088e83e5a1dc7f372f2bf72419f9e9ab243ab3f