1.2 Disable Unused Connectors

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is best to remove these connectors and enable only what is needed.

Rationale:

Improperly configured or unnecessarily installed Connectors may lead to a security exposure.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Within the $CATALINA_HOME/conf/server.xml, remove, or comment out, each unused Connector. For example, to disable an instance of the HTTPConnector, remove the following:

<Connector className='org.apache.catalina.connector.http.HttpConnector'
...
connectionTimeout='60000'/>

Default Value:

$CATALINA_HOME/conf/server.xml, has the following connectors defined by default:

A non-SSL HTTP Connector bound to port 8080

An AJP Connector bound to port 8009

See Also

https://workbench.cisecurity.org/files/4103