| Target | CPE Name |
|---|---|
| Apache Tomcat 9.0 | cpe:/a:apache:tomcat:9.0 (View CVEs) |
The Apache Tomcat Application Server 9 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. This document is meant for use in conjunction with other STIGs such as the Enclave, Network Infrastructure, Secure Remote Computing, and appropriate operating system (OS) STIGs. Apache Tomcat is a popular open source application server that provides a platform for Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. Tomcat also provides a web server environment where Java application code can be deployed and run. The Tomcat web server component is designed to work in conjunction with separate Apache web servers, which are often used when a reverse proxy web application architecture is required. The Tomcat STIG was developed using Apache Tomcat 9 version 9.0.22 and Ubuntu’s OpenJDK 11.0.4+11 running on the Ubuntu Linux 18.04 bionic OS version. When applying the STIG to other Linux flavors, the SME must adapt the STIG file path information and commands to those used by the flavor of Linux being assessed. Bear in mind that the STIG was written for the management of the base Tomcat server. Applications provided with Tomcat that are used for managing the Tomcat server (e.g., the manager app) are within scope, while applications installed on the Tomcat server are not in scope. Tomcat instances operating on the Windows operating system are also not in scope for this STIG. Due to the availability of Tomcat source code and the open source nature of the product, Tomcat is often embedded into other products, particularly multi-tiered client server web applications. Using the Tomcat source code in their product allows vendors to quickly incorporate Java-based web application features and functions without recreating or licensing a separate application server component. Embedded Tomcat configurations contained within application code are not within scope of the STIG development effort. While some of the STIG requirements could potentially be applied in some of these instances, this is a case-by-case scenario. The configuration steps within the STIG were designed and tested against the publicly available Tomcat product that is downloaded and installed as a distinct application server.
Not provided.
Parties within the DoD and Federal Government’s computing environments can obtain the applicable STIG from the Cyber Exchange website at https://cyber.mil/. This site contains the latest copies of STIGs, SRGs, and other related security information. Those without a Common Access Card (CAC) that has DoD Certificates can obtain the STIG from https://public.cyber.mil/.
Not provided.
This document is provided under the authority of DoDI 8500.01.
Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.
Not provided.
Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil. DISA will coordinate all change requests with the relevant DoD organizations before inclusion in this document. Approved changes will be made in accordance with the DISA maintenance release schedule.
disa.stig_spt@mail.mil
Not provided.
Not provided.
updated to FINAL - 8/6/2020 Updated Resource per DISA - 10/28/20 updated SHA - 11/5/2020 Updated resource per DISA - 1/26/21 null
| URL | Description |
|---|
| Reference URL | Description |
|---|