Rule ID
SV-223004r1135506_rule
Version
V3R4
CCIs
CCI-000366
When Tomcat is installed behind a proxy configured to only allow access to certain Tomcat contexts (web applications), an HTTP request containing "/\../" may allow attackers to work around the proxy restrictions using directory traversal attack methods. If allow_backslash is true the '\' character will be permitted as a path delimiter. The default value for the setting is false but Tomcat should always be configured as if no proxy restricting context access was used and allow_backslash should be set to false to prevent directory traversal style attacks. This setting can create operability issues with non-compliant clients. In order to accommodate a non-compliant client, any deviation from the STIG setting must be approved by the ISSO.
If the ISSO has accepted the risk for enabling the ALLOW_BACKSLASH setting, this requirement is NA. From the Tomcat server as an elevated user, run the following command: sudo grep -i ALLOW_BACKSLASH $CATALINA_BASE/conf/catalina.properties sudo grep -i catalina_opts /etc/systemd/system/tomcat.service If org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true, this is a finding.
As a privileged user on the Tomcat server: If the finding is in the catalina.properties file, edit the $CATALINA_BASE/conf/catalina.properties file. sudo nano $CATALINA_BASE/conf/catalina.properties Change the org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true setting to =false. If the finding is in the /etc/systemd/services/tomcat/service file, edit the file using a text editor. sudo nano /etc/systemd/services/tomcat.service Locate the Environment='CATALINA_OPTS=' line and change the -D.org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true setting to =false. Restart Tomcat by running the following commands: sudo systemctl restart tomcat sudo systemctl daemon-reload