1.2 Disable Unused Connectors

Information

The default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is best to remove these connectors and enable only what is needed.

Rationale:

Improperly configured or unnecessarily installed Connectors may lead to a security exposure.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Within the $CATALINA_HOME/conf/server.xml, remove, or comment out, every unused Connectors. For example, to disable an instance of the HTTPConnector, remove the following:

<Connector className='org.apache.catalina.connector.http.HttpConnector'
...
connectionTimeout='60000'/>

Default Value:

$CATALINA_HOME/conf/server.xml, has the following connectors defined by default:

A non-SSL HTTP Connector bound to port 8080

An AJP Connector bound to port 8009

References:

https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Connectors

https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Connectors

See Also

https://workbench.cisecurity.org/files/2506

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Unix

Control ID: 61a0006c1cba76761637d5b55b9d6676d66ed5a8e64c3edfadbed41e5df317ca