Apache Tomcat Application Server 9 STIG Ver 2, Rel 1 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Apache Tomcat 9.0 cpe:/a:apache:tomcat:9.0 (View CVEs)

Checklist Highlights

Checklist Name:
Apache Tomcat Application Server 9 STIG
Checklist ID:
960
Version:
Ver 2, Rel 1
Type:
Compliance
Review Status:
Final
Authority:
Governmental Authority: Defense Information Systems Agency
Original Publication Date:
05/08/2020

Checklist Summary:

The Apache Tomcat Application Server 9 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with other STIGs such as the Enclave, Network Infrastructure, Secure Remote Computing, and appropriate operating system (OS) STIGs. Apache Tomcat is a popular open source application server that provides a platform for Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. Tomcat also provides a web server environment where Java application code can be deployed and run. The Tomcat web server component is designed to work in conjunction with separate Apache web servers, which are often used when a reverse proxy web application architecture is required. The Tomcat STIG was developed using Apache Tomcat 9 version 9.0.22 and Ubuntu’s OpenJDK 11.0.4+11 running on the Ubuntu Linux 18.04 bionic OS version. When applying the STIG to other Linux flavors, the SME must adapt the STIG file path information and commands to those used by the flavor of Linux being assessed. Bear in mind that the STIG was written for the management of the base Tomcat server. Applications provided with Tomcat that are used for managing the Tomcat server (e.g., the manager app) are within scope, while applications installed on the Tomcat server are not in scope. Tomcat instances operating on the Windows operating system are also not in scope for this STIG. Due to the availability of Tomcat source code and the open source nature of the product, Tomcat is often embedded into other products, particularly multi-tiered client server web applications. Using the Tomcat source code in their product allows vendors to quickly incorporate Java-based web application features and functions without recreating or licensing a separate application server component. Embedded Tomcat configurations contained within application code are not within scope of the STIG development effort. While some of the STIG requirements could potentially be applied in some of these instances, this is a case-by-case scenario. The configuration steps within the STIG were designed and tested against the publicly available Tomcat product that is downloaded and installed as a distinct application server.

Checklist Role:

  • Application Server

Known Issues:

Not provided.

Target Audience:

Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.

Target Operational Environment:

  • Managed
  • Specialized Security-Limited Functionality (SSLF)

Testing Information:

Not provided.

Regulatory Compliance:

This document is provided under the authority of DoDI 8500.01.

Comments/Warnings/Miscellaneous:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Disclaimer:

Not provided.

Product Support:

Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.

Point of Contact:

disa.stig_spt@mail.mil

Sponsor:

Not provided.

Licensing:

Not provided.

Change History:

updated to FINAL - 8/6/2020
Updated Resource per DISA - 10/28/20
updated SHA - 11/5/2020

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 11/05/2020