← Back to Apache Tomcat Application Server 9 Security Technical Implementation Guide

V-222951

CAT II (Medium)

The shutdown port must be disabled.

Rule ID

SV-222951r960963_rule

STIG

Apache Tomcat Application Server 9 Security Technical Implementation Guide

Version

V3R4

CCIs

CCI-000381

Discussion

Tomcat listens on TCP port 8005 to accept shutdown requests. By connecting to this port and sending the SHUTDOWN command, all applications within Tomcat are halted. The shutdown port is not exposed to the network as it is bound to the loopback interface. Set the shutdown attribute in $CATALINA_BASE/conf/server.xml.

Check Content

From the Tomcat server run the following OS command:

$ sudo grep -i shutdown $CATALINA_BASE/conf/server.xml

Ensure the server shutdown port attribute in $CATALINA_BASE/conf/server.xml is set to -1. 

EXAMPLE:
&lt;Server port="-1" shutdown="SHUTDOWN"&gt;

If Server port not = "-1" shutdown="SHUTDOWN", this is a finding.

Fix Text

From the Tomcat server as a privileged user, edit the $CATALINA_BASE/conf/server.xml file: set the Server port setting to -1 and restart the Tomcat server.

&lt;Server port="-1" shutdown="SHUTDOWN"&gt;

sudo systemctl restart tomcat
sudo systemctl daemon-reload