Detections
Analytics

TCAT-AS-001690 - ENFORCE_ENCODING_IN_GET_WRITER must be set to true.

Information

Some clients try to guess the character encoding of text media when the mandated default of ISO-8859-1 should be used. Some browsers will interpret as UTF-7 when the characters are safe for ISO-8859-1. This can create the potential for a XSS attack. To defend against this, enforce_encoding_in_get_writer must be set to true.

Solution

From the Tomcat server as a privileged user:

Edit the /etc/systemd/system/tomcat.service file, and either add or edit the org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER setting.

Set the org.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true

EXAMPLE:
Environment='CATALINA_OPTS -Dorg.apache.catalina.connector.Response.ENFORCE_ENCODING_IN_GET_WRITER=true'

Restart the Tomcat server:
sudo systemctl restart tomcat
sudo systemctl daemon-reload

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Apache_Tomcat_Application_Server_9_V3R3_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|II, CCI|CCI-000366, Rule-ID|SV-223005r1135509_rule, STIG-ID|TCAT-AS-001690, STIG-Legacy|SV-111533, STIG-Legacy|V-102593, Vuln-ID|V-223005

Plugin: Unix

Control ID: a91834137d4d02bef4d94248ea7b0a889632bf9c89407dfef5ccfd38b5f4d6ca