10.14 Do not allow cross context requests

Information

Setting crossContext to true allows for an application to call ServletConext.getContext to return a dispatcher for another application.

Rationale:

Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.

Solution

Set the crossContext attribute in all context.xml files to false:

<Context ... crossContext='false' />

Default Value:

By default crossContext has a value of false.

See Also

https://workbench.cisecurity.org/files/4103

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|CM-7, 800-53|CM-7(1), 800-53|SI-7, 800-53|SI-7(1), CSCv7|4.7

Plugin: Unix

Control ID: 85260343d7aebc55987ecb3bbb5a52f4a3c3ceeeff6a539daf759167a9ca86c4