search cancel

'TCAT-AS-000110 - The Java Security Manager must be enabled.' (Vuln ID: V-222936)

book

Article ID: 225751

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

'TCAT-AS-000110 - The Java Security Manager must be enabled.' (Vuln ID: V-222936) 

Details

Check Text ( C-24608r426252_chk )
Review system documentation. Identify the tomcat systemd startup file which for STIG purposes is called "tomcat.service" and can be viewed as a link in the /etc/systemd/system/ folder.

Run the following command:
sudo cat /etc/systemd/system/tomcat.service |grep -i security

If there is a documented and approved risk acceptance for not operating the Security Manager, the finding can be reduced to a CAT III.

If the ExecStart parameter does not include the -security flag, this is a finding.
Fix Text (F-24597r426253_fix)
Refer to the vulnerability discussion of this requirement for additional information. Install the application in a test environment and determine the application access requirements. Test and document the Java Security Manager policy and then transfer the JSM policy to the $CATALINA_BASE/conf/catalina.properties file. If operating multiple instances of Tomcat, use $CATALINA_BASE in place of $CATALINA_HOME as per standard Tomcat practice.

As an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read:
"ExecStart=/opt/tomcat/bin/startup.sh -security"

sudo systemctl restart tomcat
sudo systemctl daemon-reload

 

Environment

Release : 21.2

 

Resolution



The -security when starting OneClick's tomcat has been added in NetOps 21.2.12

DX NetOps Spectrum Enhancements and Performance Improvements 21.2.12
DX NetOps Spectrum now ensures that the Tomcat and WebTomcat processes are started with
Java SecurityManager by using the -security option by default. This enhancement helps you address
vulnerabilities and avoid any unwarranted security attacks on your server. Additionally, the security
permissions for Tomcat and WebTomcat are also updated in the catalina.policy file
($SPECROOT/tomcat/conf/ and $SPECROOT/webtomcat/conf/).