The following STIG finding was found on CABI/Jaspersoft's Apache Tomcat Instance

The deployXML attribute must be set to false in hosted environments.
https://stigviewer.com/stig/apache_tomcat_application_sever_9/2020-12-11/finding/V-222955

Can autoDeploy be changed to false?

/opt/CA/SharedComponents/CABI/apache-tomcat/conf/server.xml

The deployXML attribute must be set to false in hosted environments.

Discussion: The Host element controls deployment. Automatic deployment allows for simpler management, but also makes it easier for an attacker to deploy a malicious application. Automatic deployment is controlled by the autoDeploy and deployOnStartup attributes. If both are false, only Contexts defined in server.xml will be deployed, and any changes will require a Tomcat restart.

In a hosted environment where web applications may not be trusted, set the deployXML attribute to false to ignore any context.xml packaged with the web application that may try to assign increased privileges to the web application. Note that if the security manager is enabled that the deployXML attribute will default to false.

This requirement is NA for test and development systems on non-production networks. For DevSecOps application environments, the ISSM may authorize autodeploy functions on a production Tomcat system if the mission need specifies it and an application security vulnerability testing and assurance regimen is included in the DevSecOps process.

This can be manually changed so that the autoDeploy is set to false in the server.xml

/opt/CA/SharedComponents/CABI/apache-tomcat/conf/server.xml

After making the change restart CABI tomcat

    cd /opt/CA/SharedComponents/CABI/
    ./stopServers.sh tomcat

    ./startServers.sh tomcat