'TCAT-AS-000490 - The shutdown port must be disabled.' (Vuln ID: V-222951)

book

Article ID: 224320

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file: set the Server port setting to -1 and restart the Tomcat server.

<Server port="-1" shutdown="SHUTDOWN">

sudo systemctl restart tomcat
sudo systemctl daemon-reload

Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Set the shutdown attribute in $CATALINA_BASE/conf/server.xml.

Environment

Release : 21.2

 

Resolution

With DX Netops 21.2.1 the SHUTDOWN port for
   OneClick's tomcat is being set to -1 to disable. Other code was involved around this as well.

NetOps 21.2.1 $SPECROOT/tomcat/conf/server.xml


The Webtomcat, however, still requires the SHUTDOWN port to stop some of the applications so this requires the port to be set at this time.

Features and Enhancements (broadcom.com)
The Tomcat server shutdown port has been disabled to avoid external attacks.

Webtomcat shutdown port is not disabled as it is required in the Linux environment to stop all the webtomcat processes. To secure the webtomcat port, change the shutdown password in the $SPECROOT/webtomcat/conf/server.xml file to a strong password from the default password which is SHUTDOWN, and restart webtomcat.