TCAT-AS-000590 - Applications in privileged mode must be approved by the ISSO.

Information

The privileged attribute controls if a context (application) is allowed to use container provided servlets like the Manager servlet. It is false by default and should only be changed for trusted web applications.

Set to true to allow the context (application) to use container servlets, like the manager servlet. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader. Note that in a default installation, the Common class loader is used for both the Server and the Shared class loaders. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader.

Solution

On the Tomcat server as a privileged user, modify the relevant context.xml file and set the privileged attribute to false (privileged=false).
A restart should not be required if the context element is not maintained in the server.xml file.

If privileged mode is required for a particular application, verify trust of application and obtain documented approval from the ISSO. Document the applications that are approved to run in privileged mode and retain approvals in the system security plan (SSP) for CCRI reviews.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V2R4_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CAT|II, CCI|CCI-000382, Rule-ID|SV-222961r615938_rule, STIG-ID|TCAT-AS-000590, STIG-Legacy|SV-111447, STIG-Legacy|V-102505, Vuln-ID|V-222961

Plugin: Unix

Control ID: 7fa6d82a9fc08aed81306c03005fb56cbc1544df968199f35dda5a5133a7b0f2