'TCAT-AS-001320 - Multifactor certificate-based tokens (CAC) must be used when accessing the management interface.' (Vuln ID: V-222993) - is this needed without /manager option?
Password authentication does not provide sufficient security control when accessing a management interface. DoD has specified that the CAC will be used when authenticating and passwords will only be used when CAC authentication is not a plausible solution. Tomcat provides the ability to do certificate based authentication and client authentication; therefore, the Tomcat server must be configured to use CAC. Satisfies: SRG-APP-000391-AS-000239, SRG-APP-000392-AS-000240, SRG-APP-000402-AS-000247, SRG-APP-000403-AS-000248
Release : 21.2
Broadcom advises removing the manager and host-manager applications from $SPECROOT/tomcat/webapps.
Delete the entire directories and restart Tomcat service.
Once these are removed, this finding is not applicable.
Broadcom or DX Netops Spectrum does not use either of those applications and they are deemed a security risk to keep around.