Detections
Analytics

TCAT-AS-001680 - ALLOW_BACKSLASH must be set to false.

Information

When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing '/../' may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '' character will be permitted as a path delimiter. The default value for the setting is false but Tomcat should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. In order to accommodate a non-compliant client, any deviation from the STIG setting must be approved by the ISSO.

Solution

As a privileged user on the Tomcat server:

If the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file.

sudo nano $CATALINA_BASE/conf/catalina.properties

Change the org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true setting to =false.

If the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor.

sudo nano /etc/systemd/services/tomcat.service

Locate the Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true setting to =false.

Restart Tomcat by running the following commands:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R3_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-223004r1135506_rule, STIG-ID|TCAT-AS-001680, STIG-Legacy|SV-111531, STIG-Legacy|V-102591, Vuln-ID|V-223004

Plugin: Unix

Control ID: 8c99acfb5d41669848981f2f99ec0b67fba2996068ab0c4d843aa1a40c645600