CABI Tomcat Vulnerability: STIG V-222961 - Applications in privileged mode must be approved by the ISSO
search cancel

CABI Tomcat Vulnerability: STIG V-222961 - Applications in privileged mode must be approved by the ISSO

book

Article ID: 244782

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction


The following STIG finding was found on CABI/Jaspersoft's Apache Tomcat Instance

V-222961 - Applications in privileged mode must be approved by the ISSO
https://stigviewer.com/stig/apache_tomcat_application_sever_9/2021-06-15/finding/V-222961

 

The following 3 entries are findings

/opt/CA/SharedComponents/CABI/apache-tomcat/webapps/examples/META-INF/context.xml         <Context antiResourceLocking="false" privileged="true" >
/opt/CA/SharedComponents/CABI/apache-tomcat/webapps/host-manager/META-INF/context.xml  <Context antiResourceLocking="false" privileged="true" >
/opt/CA/SharedComponents/CABI/apache-tomcat/webapps/manager/META-INF/context.xml          <Context antiResourceLocking="false" privileged="true" >

 

Apache Tomcat Application Server 9 Security Technical Implementation Guide :: Version 2, Release: 4 Benchmark Date: 27 Jan 2022
Vul ID: V-222961     Rule ID: SV-222961r615938_rule     STIG ID: TCAT-AS-000590



Rule Title: Applications in privileged mode must be approved by the ISSO.

Discussion: The privileged attribute controls if a context (application) is allowed to use container provided servlets like the Manager servlet. It is false by default and should only be changed for trusted web applications.

Set to true to allow the context (application) to use container servlets, like the manager servlet. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader. Note that in a default installation, the Common class loader is used for both the Server and the Shared class loaders. Use of the privileged attribute will change the context's parent class loader to be the Server class loader rather than the Shared class loader.

Check Text: Individual Context elements may be explicitly defined in an individual file located at /META-INF/context.xml inside the application files or in the $CATALINA_BASE/conf/context.xml file. It is not recommended to store the context element in the server.xml file as changes will require a server restart.

The $CATALINA_BASE/conf/context element information will be loaded by all web applications, the META-INF/context.xml will only be loaded by that specific application.

On the Tomcat server as a privileged user run the following commands:

grep -i privileged $CATALINA_BASE/conf/context.xml

Repeat the following command for each installed application:

grep -i privileged $CATALINA_BASE/webapps/<application name>META-INF/context.xml

If the privileged context attribute is set to true, confirm the application has been approved for privileged mode by the ISSO. If the application is not approved to run in privileged mode, this is a finding.

Fix Text: On the Tomcat server as a privileged user, modify the relevant context.xml file and set the privileged attribute to false (privileged=false).
A restart should not be required if the context element is not maintained in the server.xml file.

Environment

Release : 21.2

Component : Jaspersoft for CA Spectrum

Resolution

 

To circumvent this, set  privileged="false" in the META-INF/context.xml file for all 3 webapps (examples, host-manager, manager)


/opt/CA/SharedComponents/CABI/apache-tomcat/webapps/

      examples/META-INF/context.xml         <Context antiResourceLocking="false" privileged="false" >
      host-manager/META-INF/context.xml  <Context antiResourceLocking="false" privileged="false" >
      manager/META-INF/context.xml          <Context antiResourceLocking="false" privileged="false" >

Additional Information


Internal defect raised to see if these webapps can be removed or have privileged set to false out of the box

Powered by Wolken Software