TCAT-AS-000780 - Access to JMX management interface must be restricted.

Information

Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of java applications running on Tomcat. If network access to the JMX port is not restricted, attackers can gain access to the application used to manage the system.

Solution

Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information.

Edit the /etc/systemd/system/tomcat.service file.

Add or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network.

EXAMPLE:
CATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150'

Restart Tomcat:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

Verify jmxmanagement access is restricted to the management network IP address range.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R4_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-2, CAT|II, CCI|CCI-001082, Rule-ID|SV-222969r615938_rule, STIG-ID|TCAT-AS-000780, STIG-Legacy|SV-111461, STIG-Legacy|V-102521, Vuln-ID|V-222969

Plugin: Unix

Control ID: 53ca6346bfe5ac20796ef2300814495f33828867d39c4fb1a6c28ed717c5ecde