'TCAT-AS-000110 - The Java Security Manager must be enabled.' (Vuln ID: V-222936)

book

Article ID: 225751

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

'TCAT-AS-000110 - The Java Security Manager must be enabled.' (Vuln ID: V-222936) 

Details

Check Text ( C-24608r426252_chk )
Review system documentation. Identify the tomcat systemd startup file which for STIG purposes is called "tomcat.service" and can be viewed as a link in the /etc/systemd/system/ folder.

Run the following command:
sudo cat /etc/systemd/system/tomcat.service |grep -i security

If there is a documented and approved risk acceptance for not operating the Security Manager, the finding can be reduced to a CAT III.

If the ExecStart parameter does not include the -security flag, this is a finding.
Fix Text (F-24597r426253_fix)
Refer to the vulnerability discussion of this requirement for additional information. Install the application in a test environment and determine the application access requirements. Test and document the Java Security Manager policy and then transfer the JSM policy to the $CATALINA_BASE/conf/catalina.properties file. If operating multiple instances of Tomcat, use $CATALINA_BASE in place of $CATALINA_HOME as per standard Tomcat practice.

As an admin user on the Tomcat server, modify the /etc/systemd/system/tomcat.service file and set the "ExecStart" parameter to read:
"ExecStart=/opt/tomcat/bin/startup.sh -security"

sudo systemctl restart tomcat
sudo systemctl daemon-reload

 

Environment

Release : 21.2

 

Resolution

This feature will eventually make it into the product via US717172.

However, currently this cannot be done in the product as it breaks Spectrum.

Look for this to be released next year (2022).