InformationThe default installation of Tomcat includes connectors with default settings. These are traditionally set up for convenience. It is best to remove these connectors and enable only what is needed.
Improperly configured or unnecessarily installed Connectors may lead to a security exposure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
SolutionWithin the $CATALINA_HOME/conf/server.xml, remove, or comment out, every unused Connectors. For example, to disable an instance of the HTTPConnector, remove the following:
$CATALINA_HOME/conf/server.xml, has the following connectors defined by default:
A non-SSL HTTP Connector bound to port 8080
An AJP Connector bound to port 8009