10.14 Do not allow cross context requests

Information

Setting crossContext to true allows for an application to call ServletConext.getContext to return a dispatcher for another application.

Rationale:

Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.

Solution

Set the crossContext attribute in all context.xml files to false:

<Context ... crossContext='false' />

Default Value:

By default crossContext has a value of false.

See Also

https://workbench.cisecurity.org/files/4103

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|4.7

Plugin: Unix

Control ID: 2337337ff1ac887a24b8fdeb3d7a2c41e00f22bc66c69ab375177cefc387bdfa