TCAT-AS-000780 - Access to JMX management interface must be restricted.
Java Management Extensions (JMX) is used to provide programmatic access to Tomcat for management purposes. This includes monitoring and control of java applications running on Tomcat. If network access to the JMX port is not restricted, attackers can gain access to the application used to manage the system.
Make an operational determination regarding the use of JMX. If JMX management is decided upon, identify the management networks that are used for system management. Update the system security plan and network documentation with the information. Edit the /etc/systemd/system/tomcat.service file. Add or modify the existing CATALINA_OPTS -Dcom.sun.management.jmxremote.host setting. Set the host parameter to an IP address that is only available on a management network. EXAMPLE: CATALINA_OPTS='-Dcom.sun.management.jmxremote.host=192.168.0.150' Restart Tomcat: sudo systemctl restart tomcat sudo systemctl daemon-reload Verify jmxmanagement access is restricted to the management network IP address range.