CABI - V-222926 - number of allowed simultaneous sessions to the manager
Article ID: 245521
Updated On:
Products
Issue/Introduction
Vul ID: V-222926 - The number of allowed simultaneous sessions to the manager application must be limited.
The manager application provides configuration access to the Tomcat server. Access to the manager application must be limited
and that includes the number of sessions allowed to access the management application. A balance must be struck between
the number of simultaneous connections allowed to the management application and the number of authorized admins requiring
access at any given time. Determine the number of authorized admins requiring simultaneous access and increase the number
of allowed simultaneous sessions by a small percentage in order to help prevent potential lockouts.
Environment
Release : 21.2
Component : Jaspersoft for CA Spectrum
Resolution
CABI/Jaspersoft is not using the manager webapp so this can be configured/limited.
Add the maxActiveSessions attribute to the manager attribute and restart tomcat.
/opt/CA/SharedComponents/CABI/apache-tomcat/webapps/manager/META-INF/context.xml
<Context antiResourceLocking="false" privileged="true" >
<CookieProcessor className="org.apache.tomcat.util.http.Rfc6265CookieProcessor"
sameSiteCookies="strict" />
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1" />
<Manager maxActiveSessions="2" sessionAttributeValueClassNameFilter="java\.lang\.(?:Boolean|Integer|Long|Number|String)|org\.apache\.catalina\.filters\.CsrfPreventionFilter\$LruCache(?:\$1)?|java\.util\.(?:Linked)?HashMap"/>
</Context>
Defect (DE538094) was raised to have this changed OOB, I asked if we could
get rid of the manager webapp altogether as I do not believe we use it.
Additional Information
Feedback
