Information
The default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is best to remove these connectors and enable only what is needed.
Rationale:
Improperly configured or unnecessarily installed Connectors may lead to a security exposure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Within the $CATALINA_HOME/conf/server.xml, remove, or comment out, every unused Connectors. For example, to disable an instance of the HTTPConnector, remove the following:
<Connector className='org.apache.catalina.connector.http.HttpConnector'
...
connectionTimeout='60000'/>
Default Value:
$CATALINA_HOME/conf/server.xml, has the following connectors defined by default:
A non-SSL HTTP Connector bound to port 8080
An AJP Connector bound to port 8009
References:
https://tomcat.apache.org/tomcat-8.0-doc/security-howto.html#Connectors
https://tomcat.apache.org/tomcat-8.5-doc/security-howto.html#Connectors